NCSC guidance: ‘Three random words’

Why this method works

Because length is strength. Most password-cracking attacks are automated: they can try huge numbers of guesses very quickly, so short passwords even with symbols tend to fall fast. Combining three unrelated words usually creates a passphrase that’s long enough to resist these attacks, while staying practical to type and remember.

The key is that the words must be random and not connected to you. Randomness makes the passphrase unpredictable, and real words are easier for humans to recall than “complex” strings, reducing the temptation to reuse passwords or write them down unsafely. Three words is a good baseline for most situations; for higher-risk accounts, adding a fourth random word makes it even stronger.

This approach, recommended by the UK National Cyber Security Centre, involves creating passwords by combining three genuinely random, unrelated words to make something that is both long enough and strong enough while still being memorable. For example, joining three words together, with or without separators, creates a long passphrase that is harder to crack than a short, complex-looking password.

How to create a ‘three random words’ password

  • Pick three random words that have no obvious connection to you or each other (randomness matters more than complexity).
  • Combine them into a single passphrase (e.g., run them together or separate with a hyphen or dot if allowed).
  • Aim for length: longer passphrases are much harder to crack than short passwords with symbols.
  • Use a different passphrase for each important account (avoid reuse).

What to avoid

  • Don’t use common passwords (e.g., “password”) or predictable patterns.
  • Avoid words tied to you: birthdays, significant dates, favourite teams, or family/pet names (these can often be guessed or found via social media).
  • Don’t rely on simple substitutions like swapping o for 0—attackers expect these tricks, and it mainly makes passwords harder to remember.

Extra tips

  • Consider using a password manager to generate and store unique strong passwords for all your accounts.
  • If you need to write a password down, the NCSC notes this can be OK—just keep it somewhere safe and out of sight (not on or under your device).
  • Where available, turn on multi-factor authentication (MFA) for an extra layer of protection.

Sources

  • UK National Cyber Security Centre (NCSC) – “Top tips for staying secure online: Three random words” (accessed 12 May 2026).

Conclusion

Using three random words is a simple and effective way to create passwords that are both secure and memorable. By choosing words that are unrelated to you, keeping each password unique, and adding extra protection such as a password manager or multi-factor authentication, you can significantly reduce the risk of your accounts being compromised while still using passwords you can manage in everyday life.