4 min read

Three Magic Words: The Logic Behind Simplifying Password Security

Three Magic Words: The Logic Behind Simplifying Password Security

*(Hand image courtesy of ncsc.gov.uk)

Nearly five years after the original publication, "Three random words” or #thinkrandom is still one of the most visited pages of the NCSC website. It tells you how, with the help of three random words, you can make a password 'random enough' to keep the baddies out but simultaneously 'easy enough' for you to remember.



Grade your organizational risk with our comprehensive cybersecurity quiz.
🎯 Grade Your Organizational Risk: CLICK HERE


We pretty much all recognize at this point that forcing complexity requirements is are bad defence against guessing attacks. We find it hard to remember random character strings, and so our mind makes up predictable patterns (such as replacing 'o' with zero) so that they make up the required 'complexity' criteria. Adversaries know such tactics and can use such information to generate optimised attacks. The application of such complexity requirements makes the creation of passwords more predictable.

Faced with creating yet another password with a bunch of specific requirements, users usually resort to some variation of a hack for something they already know and use, fooling themselves that it's strong since it passes the password strength metres (and is accepted by the online service).

None of this is helped by long-held, terrible advice, where passwords must be memorised and, in no way, shape, or form, can be stored (whether in a password manager, in your browser, on paper) without it risking your security. 

The other concern is the continued low uptake of password managers to store and generates passwords (the NCSC has been encouraging organisations and individuals to use password managers for some time now).

To be absolutely clear, the National Cyber Security Centre (NCSC) states, “There are a number of ways you can securely store your passwords, in a password manager, a browser, or on a piece of paper, so remembering them is no longer a problem.”

Key Takeaways

  • 'Three random words' is a beneficial alternative to complex password rules.
  • This strategy is supported by the NCSC for being secure and user-friendly.
  • Effective passwords can be both easy to remember and hard to guess.

Security Benefits of the “Three Word” strategy

Passwords are the first line of defence in cyber security. The 'three random words' method offers a balance between complexity for security and simplicity for user recollection.

Password Strength

The strength of a password often hinges upon its unpredictability and length. Three random words generate a password that is not only long enough to thwart brute force attacks but also complex enough to resist common guessing techniques. Users can further enhance security by mixing in numbers and capital letters, effectively tricking password strength metres that evaluate the robustness of a password.

Resisting Guessing Attacks

Cyber criminals commonly deploy guessing attacks, leveraging data about individuals to crack passwords. A sequence of three unrelated words significantly diminishes the success of such attacks. Each additional word exponentially increases the number of possible combinations, making the password more resilient against both automated and targeted guessing attempts.

Impact on Cyber Criminals

Hackers are deterred by the time and effort required to infiltrate accounts with strong passwords. Using three random words creates a password that is challenging to decipher, increasing the cost and reducing the efficiency of cyber criminals' attacks. Consequently, they might opt to bypass these accounts in favour of targets with weaker security measures, thereby improving the overall safety of data.

Adoption at Home and Work

At home, individuals are encouraged to adopt the three-word formula for its simplicity and effectiveness. In the workplace, this strategy harmonises security protocols cross-government and in the private sector, making passwords memorable to the user yet challenging for cyber attackers. Organisations find this method aids compliance without compromising operational efficiency.

User Experiences with Three Words

Those who've embraced the NCSC's advice generally report positive outcomes. They find that blending three unrelated words produces passwords that are easier to recall than complex alphanumeric alternatives. Password managers play a supportive role here, securely storing these unique combinations and reducing the mental load of memorising multiple passwords.

  • Ease of Memorisation: 'CatWindowMarble' is more memorable than 'C@tW1n^0wM@rb!e'.
  • Visualisation: Users often create a mental image that helps remember their three-word passphrase.

Superfast - 3 magic words

Creating a Random Password

Creating a strong, memorable password is crucial for securing one's online presence. This approach balances ease of recall with sufficient complexity to deter unauthorised access.

Balancing Security and Usability

Usability is crucial in password creation, as password strength is redundant if the user cannot recall it. The NCSC promotes the use of three random words because it offers a password that is both secure against various online threats and is easier for individuals to remember. Instead of impossible-to-memorise string of characters, the combination of words – such as "FalconBridgeButter" – enhances password strength without sacrificing usability.

Steps to Formulate a Three-Word Passphrase:

  1. Selection of Words: Begin by randomly picking three distinct words. These could be any words that aren’t easily associated with one another.
  2. Variation: For improved security, one may consider altering a letter to a number or adding special characters. For example, 'cat5treetable' or 'green#apple!clock'.
  3. Memorability: Choose words that, though random, are meaningful enough to remember but aren't easily guessable, like 'plant', 'spectrum', 'anchor'.

Password Logic Versus Passphrase:

  • A random password typically consists of a complex arrangement of characters, including upper and lower case letters, numbers, and symbols.
  • A passphrase simplifies this concept by combining uncomplicated words to create a barrier that's still robust enough to protect against common cyber attacks.
  • The longer the composite passphrase, the more secure it's likely to be. However, three words are often sufficient for most instances and are much easier to recall compared to a string of random characters.

By sticking to these guidelines, one can craft a passphrase that not only meets security standards but also reduces the brainpower required to remember complex password combinations.


Grade your organizational risk with our comprehensive cybersecurity quiz.
🎯 Grade Your Organizational Risk: CLICK HERE


Our quiz is more than just a set of questions; it's a window into your organization's cybersecurity posture. By participating, you're not just testing your knowledge; you're evaluating your organization's readiness against cyber threats.

  • Easy to Understand: No technical jargon, just clear, actionable insights.
  • Quick and Efficient: It won't take much of your time, but the insights you gain could save your organization.
  • Empower Your Decision Making: With the knowledge you gain, make informed decisions to enhance your cybersecurity strategy.

As your trusted MSP, we're committed to helping you navigate the complex world of cybersecurity. This quiz is the first step in a journey towards a more secure digital environment for your business.

  • Assess Your Risk: Discover how secure your organization truly is.
  • Tailored Insights: Receive personalized feedback based on your responses.
  • Stay Ahead: Learn about potential vulnerabilities before they become issues.

Take the Quiz Now and pave the way for a safer digital future for your organization. Remember, in the realm of cybersecurity, knowledge is not just power – it's protection.

👉 Don't Wait for a Breach to Realize the Importance of Cybersecurity.


9 Steps to Recovering Hacked Accounts (The Essential Guide)

9 Steps to Recovering Hacked Accounts (The Essential Guide)

Having one's online accounts hacked is not only common but can lead to significant personal and financial distress. The immediate aftermath of...

Read More
QR Codes: Understanding the Risks and Ensuring Your Safety

QR Codes: Understanding the Risks and Ensuring Your Safety

QR codes have become ubiquitous in our daily lives, especially since the COVID-19 pandemic. They are used for various purposes, such as ordering...

Read More
The 2024 Malware Protection Guide

The 2024 Malware Protection Guide

*(based on the NCSC report: Cyber Essentials: Requirements for IT infrastructure v3.1)

Read More