Provincial Priory of Lancashire Knights Templar

Provincial Priory of Lancashire

Your Password Isn't Being Hacked - It's Being Predicted

Why Three Random Words Make Better Passwords Than "Complex" Passwords

TL;DR

The biggest weakness in most passwords isn't technology, it's human behaviour. As a penetration tester, I regularly crack around 30% of an organisation's passwords during security assessments, not because I have some magical hacking tool or I am an elite hacker, but because people tend to create passwords in very similar ways. Three genuinely random words are easier to remember, much harder to predict, and far more secure than the "complex" passwords many of us still use.

The Biggest Password Myth

If you've ever created an online account, you've probably seen requirements like these:

  • At least eight characters
  • One uppercase letter
  • One number
  • One special character

Most people respond by creating something like:

Summer2025!

or

Password1!

or perhaps:

Football23

Technically, these tick all the boxes.

In reality, they're exactly the sort of passwords attackers expect.

For years we've been taught that adding capital letters, numbers and symbols automatically makes a password secure. Unfortunately, that's no longer true.

Today, the real measure of a good password isn't how complicated it looks—it's how difficult it is for someone else to predict.

What I See as a Penetration Tester

As a penetration tester, one of the services I regularly perform is a password audit.

With permission from an organisation, I analyse password hashes to identify weak passwords before a real attacker does.

Across many engagements, I typically recover around 30% of users' passwords.

That figure often surprises people.

It isn't because the organisations have poor security software.

It isn't because their systems are outdated.

It's because people are wonderfully predictable.

Most people believe they're creating unique passwords.

In reality, millions of people independently come up with remarkably similar ideas.

Websites Don't Store Your Password

When you create a password, reputable websites don't store the password itself.  We don't on this site and that's why we can't remind you of the password, we don't know it!

Instead, reputable sites store a scrambled version of it called a hash.  

Think of a hash as a digital fingerprint. When you log in to the site, the password 'fingerprint' is re-created and the fingerprint just created is compared to the one the site has on record. If they match, you are authenticated and allowed to proceed.

Every password creates its own unique fingerprint, but you can't work backwards from the fingerprint to discover the original password, in the same way that detectives can't look at an actual fingerprint and say, "oh that's Dave Smith's fingerprint" without something to compare it to.

So if attackers steal a database, they usually steal these fingerprints and not the passwords themselves.

That sounds reassuring.

But there's a catch.

How Passwords Are Really Cracked

Many people imagine password cracking as a computer starting with:

aaaaaaaa

then trying:

aaaaaaab

then:

aaaaaaac

...and continuing for years until it eventually finds the right answer.

In reality, that's almost never what happens.

Instead, attackers make educated guesses.

They know how people think.

They know we like names, places, favourite sports teams, seasons, years, birthdays and simple patterns.

Rather than trying every possible password, modern password cracking tools focus on the passwords that humans are most likely to choose.

It's psychology far more than mathematics.

We're More Predictable Than We Think

One of the most interesting parts of a password audit is seeing just how consistent people's habits are.

On one recent engagement, I analysed the passwords I successfully recovered. 

Nearly half of the recovered passwords followed the same basic structure: a capital letter at the beginning and a number at the end.

Many users also appended one, two or three digits to otherwise simple passwords, often to satisfy password complexity requirements. These patterns are so common that modern password-cracking tools specifically target them, making such passwords far less secure than many people realise.

None of this is surprising.

When websites ask us to "include a capital letter and a number", most of us naturally capitalise the first letter and stick a number on the end.

It satisfies the password rules while keeping the password easy to remember.

Unfortunately, attackers know we do this.

Their software automatically tests these patterns first.

Computers Are Incredibly Fast

Another common misconception is that password cracking takes an enormous amount of time.

For modern Windows password hashes, that's often not the case.

Using inexpensive cloud-based computing, it's possible to test around 20 billion password guesses every second.

Let that sink in for a moment.

Twenty billion guesses.

Every.

Single.

Second.

At that speed, adding a single number or replacing an "a" with an "@" makes almost no practical difference if the password still follows common human patterns.

The computer isn't struggling to guess your password.

It's racing through billions of likely options almost instantly.

So Why Do Three Random Words Work?

Now compare these two passwords:

Summer2025!

and

bicycle velvet toaster

The first looks more complicated.

The second is usually much stronger.

Why?

Because almost nobody naturally chooses those three words together.

Attackers can predict that someone might choose "Summer2025!".

They can predict that people like adding the current year.

They can predict that many people capitalise the first letter.

What they can't easily predict is a completely random combination of unrelated words.

That's exactly why the UK's National Cyber Security Centre recommends using three random words.

The key word is random.

Not your favourite football team.

Not your children's names.

Not "fish chips vinegar."

Three unrelated words chosen at random.

For example:

  • velvet engine toast
  • glacier monkey suitcase
  • candle rocket library

They're surprisingly easy to remember because you're remembering words rather than a jumble of symbols.

At the same time, they're extremely difficult for attackers to predict.

We won't routinely ask you to change your password. If there's no indication it has been compromised, there's little security benefit in changing it, and frequent password changes often result in weaker, more predictable passwords.

What About Password Managers?

The best solution of all is to use a password manager.

It creates long, completely random passwords for every website, so you don't have to remember them yourself.

The only password you do need to remember is the password to unlock your password manager.

That's an excellent place to use three random words.

The Bottom Line

Password cracking today isn't about trying every possible combination of letters and numbers.

It's about understanding people.

Attackers know that we capitalise the first letter.

They know we add numbers to the end.

They know we use the current year.

They know we make small changes to old passwords.

As a penetration tester, I see this repeatedly. On average, I recover around 30% of an organisation's passwords, not because the technology is weak, but because human habits are predictable.

The good news is that protecting yourself doesn't require creating impossible-to-remember passwords full of symbols and numbers.

Instead, choose three genuinely random words, use a different password for every account, and let a password manager do the hard work wherever possible.

Sometimes the simplest advice really is the best.

If you wish to change your password on this site, you can do so by clicking on your name in the menu bar, which will take you to the relevant page to manage your account. It might be worth it!?

General Information Priory

Photos

3randomwords.png