They’re at least easier to type and remember.
Research seem to show that you may be able to set aside those long, complex, random passwords and replace them with (some would say) a few as three random words.
Let’s look into the math, the practicality, and, as always, the caveats.
Become a Patron of Ask Leo! and go ad-free!
Three random words?
Choosing as few as three random words will generally be longer than a typical random password, and can be more secure because it’s easier to manage and more likely to be used properly. Password reuse is to be avoided, and password vaults should be used, but adding the option of three (or more) random words to your password arsenal can help improve your security in a pragmatic way.
How many possibilities?
When we’re talking about choosing random characters, the subset is pretty well defined: 26 letters, upper and lower case, 10 digits, and then some number of “special characters”. Assuming 10 for the latter, that’s a total of 72 possibilities for each single character.1
With that information, we can calculate the possibilities:
- A two-character combination has 72*72 possibilities: 5184.
- An eight-character password made of random characters has 72^8 possible combinations: 722,204,136,308,736, aka ~7.2e+14 aka ~722 trillion.
- A 12-character password has 72^12: 19,408,409,961,765,342,806,016, aka ~1.9e+22 combinations.
- A 16-character password has 72^16: 521,578,814,501,447,328,359,509,917,696, aka ~5.2e+29 possibilities.
- A 20-character random password, my current default, has 14,016,833,953,562,607,293,918,185,758,734,155,776, aka ~1.4e+37 possibilities.
How many words?
In order to compare using three words to using long, random-character passwords, we need to make some assumptions about the number of words you and I are likely to choose from.
There are apparently 171,146 words in the English language, at least according to the Oxford English Dictionary as quoted by the BBC. More realistically, they indicate most native speakers understand 15,000 to 20,000 words.2
Let’s be conservative and use a 10,000 word pool to choose from.
- A single word, thus, is one of 10,000 possibilities.
- A two-word combination is 10,000 times 10,000, or 100,000,000 combinations.
- Three words? 10,000^3 or 1,000,000,000,000, aka one trillion, or 1e+12.
- Four words, 10,000^4, would be 10,000,000,000,000,000, aka 10 quadrillion, or 1e+16.
- Five words, 10,000^5, is 100,000,000,000,000,000,000, aka 1e+20
- Six words, 10,000^6, is 1,000,000,000,000,000,000,000,000, aka 1e+24
Right now, this isn’t looking very good. An attacker trying every possible word out of our pool of 10,000 could potentially brute-force attack a three-word password in less time than they could brute-force attack all possible eight-character passwords.
But wait. We’re comparing apples and oranges.
Brute-force attacks on an eight-character password try every possible eight-password. All 722,204,136,308,736 of them.
Brute-force attacks on three-word passwords can try all trillion combinations, but that’s not enough. Remember, passwords much match exactly. So, how exactly did you enter that three-word password?
- word2 word2 word3
- Word1 Word2 Word3
You get the idea. Just knowing that it’s a three-word password isn’t enough. You also have to get the separators and capitalization right. Exactly right. This makes a word-based brute-force attack significantly more difficult than the numbers might imply.
With one list of 10,000 common English words having an average length of just over five characters, a three-word password will average 15 characters, plus more for the various separation techniques listed above. It’s the equivalent of a 16-character random password for a try-every-possible-character brute-force attack — an attack that’s not feasible with today’s technology.
And if you want to completely block word-based brute-force attacks, just add a single word or string that doesn’t appear in any dictionary or word list to every password. For example “word1 word2 word3 ackpft”. With that, the chances of being discovered by brute force fall to the miniscule.
Brute force is passé
While hackers might do some limited amount of character-based brute force, since the number of people using word combinations remains low, I’d imagine trying all the combinations of words is not on the radar of many hackers.
Besides, there are easier ways for hackers to get passwords these days.
One of the most common? Password reuse.
One of the more pragmatic attack modes is to try all passwords previously discovered anywhere, ever. Any time a new password is discovered, it’s simply added to the list and tried in future attempts. I suspect this gives the hackers a pretty high success rate.
As long as your password is long — say 16 characters — and random — either random characters or words — it’s unlikely to have ever been used before, and unlikely to appear on that list.
The article that spurred this little thought exercise — “The logic behind three random words,” by the UK’s National Cyber Security Center — focuses primarily on usability as the driving factor. People are much more likely to use and remember three random words than they are even eight random characters, much less longer strings.
My discussion above is mostly about the math involved, and how simple comparisons of brute-force attack types aren’t really valid. Three random-word passwords really can be as secure as traditional random character combinations…
… with these agreements:
- Never reuse passwords. No matter how the password is created, no matter how long it is, once it’s discovered, it’s no longer secure and shouldn’t be used anywhere.
- Use a password vault. Remembering three random words is easier, but it’s still difficult if you have a lot of them to remember. Regardless of how you create your passwords, a password vault remains the most secure way to keep track of them all.
Use what works for you
If you prefer 20-character passwords of the form TrUURqPK7kTQ8F3s8yVj, then go for it. I continue to use this most of the time, because LastPass’s password generator3 is right there, and it’s LastPass that tracks it all for me. In cases where I might need to remember a password without LastPass’s assistance, I’ll use a multi-word password.
But make sure to use a method that’s secure, don’t reuse the passwords you create, and please consider using a password vault to keep track of it all.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 12:02 — 13.8MB)
Footnotes & References
1: Yes, I know, many systems accept more than 10 “special characters”. Unfortunately, we’ve been trained to limit our selection to “the obvious 10-or-so” because so many systems balk if you step outside that range. Feel free to use more different characters if you find systems that support them. It only increases your security.
2: Actually, word families. “Word family/lemma is a root word and all its inflections, for example: run, running, ran; blue, bluer, bluest, blueish, etc.”
3: Common Words Password Generator is an online tool you can use to generate random multi-word passwords using its roughly 10,000 word database. It’ll call three-word passwords “poor” because it doesn’t take into account the separation/capitalization nuances I mentioned above. It’ll let you use more words if you like.
24 comments on “Do Random Words Make Better Passwords?”
Thank you for the comment about multiple use passwords. For this evenings entertainment I will be changing passwords. Love ya Leo. You are definitely saving me from myself.
Another thing to watch out for. I’ve seen suggestions of using the same password root, for example donkey-hatchet-electricity and add the name of each website to the end or the beginning, for example donkey-hatchet-electricity-askleo. That is a unique password, but if that password shows up in a breach, the hackers will know the pattern and be able to try donkey-hatchet-electricity-gmail or hotmail-donkey-hatchet-electricity and be able to get in.
When I read that comment on another article, it seemed pretty good, but when I thought about it, I realized the shortcoming of that method.
Am I increasing my password strength incrementally when I use 3 common words but add additional characters and/or numbers to the string? For example, a password I might come up with randomly on my own would be goose22punctuate#!plumbline. The advantage to a password like that isn’t necessarily the ability of my brain to “remember it,” but it is easier and far faster to enter when asked and when I have to look it up in my password manager.
Obviously, you’d get a more secure password by adding more characters, and numbers and punctuation would add a bit more complexity.
Password requirements and password managers (PM) still need a lot of work. The big issue I have with random generated passwords is typing them in. I am not a very good typer, so the more complex,the greater my error rate is. Which can cause my account to be locked out. Some accounts do not work with PMs. Worst yet, they do not allow copy and past of the password. This 3 word system could be the ticket for those accounts
One more useful vairation to tjhe 3 word password: Misspellingg.
So the old meme of “correcthorsebatterystaple” is still right after all these years, and all the times I’ve told it to people and sent it around? Whodathunkit?
Those are four words. That’s even better ;-) , although it’s the total password length that matters.
As usual an excellent insight demonstrated in your answer…….but, not restricting the Hacker to mathematical probability theory, weakens the argument on security. For example, intuitively the hacker could sniff out that sibling/parent names have been used. If you ignore the maths and work on an intuitive basis, then the odds on discovery of combined words are less by several orders of magnitude.
If the website is using a proper hash, you can use your relatives’ names without any problem as long as you had two other words. I’d stay away from using three relatives’ names in the extremely rare case (probability close to zero) where a person who knows you might try combinations of names. For example, maudestevecowbell would be unguessable even to a sibling of yours.
Next time I have to reset a password, I’m going to see if the website will let me use Alt characters, such as 234. I just hope LastPass doesn’t complain when it tries to save the password. Where I work, Alt characters 001 to 032 and 126 to 252 are permitted in passwords for an in-house designed application.
I should have remembered certain characters are HTML syntax characters. When I said, “…such as 234.” I included HTML syntax characters. I should have typed “…such as (left carrot)ALT(right carrot) 234.”. Whenever I refer to a specific keystroke, I’ve always put it between left and right carrots to differentiate it from individual characters.
One problem with long complex passwords. Try using one to log into Roku or Britbox using the on screen keyboard.
Been there. Done that. SO painful. Makes me really appreciate the apps that let you login on your phone/pc and then connect to the Roku app.
As much as I respect Leo’s opinion, I can’t bring myself to use LastPass or similar programs. Everybody’s getting hacked; why not them too one day?
1. My method is to save all my login credentials in a Word document, and to save the Word file on a small USB drive. When I need a password, I plug in the USB drive, open the Word document, and copy/paste the 20+ digit random generated password.
2. The USB drive is within arm’s reach of my computer but well hidden.
3. The USB drive is backed up by two other USB drives hidden elsewhere in the house.
I know, lot of pitfalls in my method but it’s one I feel I can trust.
You should encrypt that document. 7Zip zip encryption is free and works well for that.
How Do I Encrypt a File?
This could still leave unencrypted copies of the document around, unless you also carefully delete and then do a free space wipe every time.
The biggest pitfall I can see is that by opening the doc in Word you may be leaving your entire password list in unencrypted temporary files, recoverable files, and perhaps even in memory.
This article also address the hacking worry: Responses to Your Three Common Password Manager Objections
I have a password file for things LastPass can’t fill. I keep them in a .txt file and work on them in Notepad.exe. I hadn’t considered the unindexed data still there after deletion. Instead of a free space wipe. You can instruct 7Zip not to delete the file and run a file shredder on that file.
Another challenge to long random passwords is the sites that don’t permit pasting or auto-filling userid & password credentials. For such sites the horse-battery+stapel! option is easy to read from the password manager and retype into the logon screen.
Another issue is sites that limit the length of the permitted password or don’t allow special characters. Their Devs should be sent to website security school.
The Devs that don’t bother to store passwords in hashed & salted form should be sentenced to a life-time of filling in captchas.
What about a sentence that you and your spouse can easily remember, such as: “Mommy is a good cook” ?
I would avoid sentences. The important aspect here is “random”. The more random the better. Sentences are not random.
If you add one unrelated word to the sentence and change some of the letters to similar looking numbers, it will significantly randomize the password.
For example, “M0mmy1s4G00dC00kTr4mp0l1n3”. Fully random is still better, but that one word makes it significantly better. Be careful of trusting those number replacements in sentences. Dictionary attacks sometimes account for those substitutions. And best of all is a password generated by a password generator and stored in a password manager.