They’re at least easier to type and remember.
Research seem to show that you may be able to set aside those long, complex, random passwords and replace them with (some would say) a few as three random words.
Let’s look into the math, the practicality, and, as always, the caveats.
Become a Patron of Ask Leo! and go ad-free!
Three random words?
Choosing as few as three random words will generally be longer than a typical random password, and can be more secure because it’s easier to manage and more likely to be used properly. Password reuse is to be avoided, and password vaults should be used, but adding the option of three (or more) random words to your password arsenal can help improve your security in a pragmatic way.
How many possibilities?
When we’re talking about choosing random characters, the subset is pretty well defined: 26 letters, upper and lower case, 10 digits, and then some number of “special characters”. Assuming 10 for the latter, that’s a total of 72 possibilities for each single character.1
With that information, we can calculate the possibilities:
- A two-character combination has 72*72 possibilities: 5184.
- An eight-character password made of random characters has 72^8 possible combinations: 722,204,136,308,736, aka ~7.2e+14 aka ~722 trillion.
- A 12-character password has 72^12: 19,408,409,961,765,342,806,016, aka ~1.9e+22 combinations.
- A 16-character password has 72^16: 521,578,814,501,447,328,359,509,917,696, aka ~5.2e+29 possibilities.
- A 20-character random password, my current default, has 14,016,833,953,562,607,293,918,185,758,734,155,776, aka ~1.4e+37 possibilities.
How many words?
In order to compare using three words to using long, random-character passwords, we need to make some assumptions about the number of words you and I are likely to choose from.
There are apparently 171,146 words in the English language, at least according to the Oxford English Dictionary as quoted by the BBC. More realistically, they indicate most native speakers understand 15,000 to 20,000 words.2
Let’s be conservative and use a 10,000 word pool to choose from.
- A single word, thus, is one of 10,000 possibilities.
- A two-word combination is 10,000 times 10,000, or 100,000,000 combinations.
- Three words? 10,000^3 or 1,000,000,000,000, aka one trillion, or 1e+12.
- Four words, 10,000^4, would be 10,000,000,000,000,000, aka 10 quadrillion, or 1e+16.
- Five words, 10,000^5, is 100,000,000,000,000,000,000, aka 1e+20
- Six words, 10,000^6, is 1,000,000,000,000,000,000,000,000, aka 1e+24
Right now, this isn’t looking very good. An attacker trying every possible word out of our pool of 10,000 could potentially brute-force attack a three-word password in less time than they could brute-force attack all possible eight-character passwords.
But wait. We’re comparing apples and oranges.
Brute-force attacks on an eight-character password try every possible eight-password. All 722,204,136,308,736 of them.
Brute-force attacks on three-word passwords can try all trillion combinations, but that’s not enough. Remember, passwords much match exactly. So, how exactly did you enter that three-word password?
- word2 word2 word3
- Word1 Word2 Word3
You get the idea. Just knowing that it’s a three-word password isn’t enough. You also have to get the separators and capitalization right. Exactly right. This makes a word-based brute-force attack significantly more difficult than the numbers might imply.
With one list of 10,000 common English words having an average length of just over five characters, a three-word password will average 15 characters, plus more for the various separation techniques listed above. It’s the equivalent of a 16-character random password for a try-every-possible-character brute-force attack — an attack that’s not feasible with today’s technology.
And if you want to completely block word-based brute-force attacks, just add a single word or string that doesn’t appear in any dictionary or word list to every password. For example “word1 word2 word3 ackpft”. With that, the chances of being discovered by brute force fall to the miniscule.
Brute force is passé
While hackers might do some limited amount of character-based brute force, since the number of people using word combinations remains low, I’d imagine trying all the combinations of words is not on the radar of many hackers.
Besides, there are easier ways for hackers to get passwords these days.
One of the most common? Password reuse.
One of the more pragmatic attack modes is to try all passwords previously discovered anywhere, ever. Any time a new password is discovered, it’s simply added to the list and tried in future attempts. I suspect this gives the hackers a pretty high success rate.
As long as your password is long — say 16 characters — and random — either random characters or words — it’s unlikely to have ever been used before, and unlikely to appear on that list.
The article that spurred this little thought exercise — “The logic behind three random words,” by the UK’s National Cyber Security Center — focuses primarily on usability as the driving factor. People are much more likely to use and remember three random words than they are even eight random characters, much less longer strings.
My discussion above is mostly about the math involved, and how simple comparisons of brute-force attack types aren’t really valid. Three random-word passwords really can be as secure as traditional random character combinations…
… with these agreements:
- Never reuse passwords. No matter how the password is created, no matter how long it is, once it’s discovered, it’s no longer secure and shouldn’t be used anywhere.
- Use a password vault. Remembering three random words is easier, but it’s still difficult if you have a lot of them to remember. Regardless of how you create your passwords, a password vault remains the most secure way to keep track of them all.
Use what works for you
If you prefer 20-character passwords of the form TrUURqPK7kTQ8F3s8yVj, then go for it. I continue to use this most of the time, because LastPass’s password generator3 is right there, and it’s LastPass that tracks it all for me. In cases where I might need to remember a password without LastPass’s assistance, I’ll use a multi-word password.
But make sure to use a method that’s secure, don’t reuse the passwords you create, and please consider using a password vault to keep track of it all.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: Yes, I know, many systems accept more than 10 “special characters”. Unfortunately, we’ve been trained to limit our selection to “the obvious 10-or-so” because so many systems balk if you step outside that range. Feel free to use more different characters if you find systems that support them. It only increases your security.
2: Actually, word families. “Word family/lemma is a root word and all its inflections, for example: run, running, ran; blue, bluer, bluest, blueish, etc.”
3: Common Words Password Generator is an online tool you can use to generate random multi-word passwords using its roughly 10,000 word database. It’ll call three-word passwords “poor” because it doesn’t take into account the separation/capitalization nuances I mentioned above. It’ll let you use more words if you like.