Examining the Strength of Three Word Passwords

Passwords make up the most common method of authentication. With ever increasing computing power, password complexity has had to keep pace. This creates a challenge for remembering all complex passwords which some password policies attempt to resolve. One such policy is to use three random words rather than a complex alphanumeric password. This paper attempted to prove the security of using such three-word passwords. It was discovered both theoretically and experimentally that three-word passwords should not be considered secure. Theoretical entropy of a three-word password found in the 25,000 most common words would be 43.8, that is lower than the entropy of a lowercase only password. Experimental data, collected via participant survey, shows up to 85% of random words provided by participants could be found in the top 15,000 common words found in the Google n-Gram data and 86.47% of combinations could be found in 25,000 most common words. This would mean, for at least 86.47% of cases, the entropy of the password is less than passwords already considered insecure in the industry.