SCARS™ Cyber Basics: Three Random Words

(Last Updated On: March 24, 2022)

SCARS™ Cyber Basics: Three Random Words

Three Random Words Or What Makes A Good Password?

You’re probably aware that there’s a lot of guidance out there on what makes a good password — and it can be incredibly confusing. This should help.

We advise that you create passwords using three random words both because they are easier to remember and are hard to guess.

You just put them together, like ‘coffeetrainfish’ or ‘walltinshirt’.

You can choose words that are memorable but should avoid those which might be easy to guess, such as ‘onetwothree’ or are closely related to you personally, such as the names of family members or pets.

Ultimately, the choices you make regarding passwords are up to you. This article is intended to help inform you as you make password decisions and explain a little bit of the cybersecurity rationale behind our three random words guidance.


Here are some common ways that cybercriminals might try to compromise your user accounts. Many of these relate to the passwords you use, so let’s take a look at a few of them:

It’s Obvious

You should try to ensure that your password isn’t easy to guess. We all know that passwords protect things that are valuable to us but that doesn’t stop the most common passwords consistently including ‘password’, ‘123456’, ‘qwerty’, ‘football’ and so on. Take a look at one of the many ‘top 100’ password lists to see what form the most common ones take.

Somebody Else’s Bad

There are frequently stories in the media about cybercriminals breaking large numbers of passwords from sites that have failed to protect them properly. If you are reusing the same password across multiple sites and cyber-criminals crack one site, they might try the recovered passwords on the other sites you use.


There is a type of malicious software that, once on your system, attempts to log the keystrokes you make — including passwords. Of course, this will compromise any password entered, no matter how complex. The best defense here is keeping your software current and up to date.

Smash The Hash

When you choose a password, if the site is reasonably diligent it won’t store that password in a form that can be read directly. It will have been processed by a clever math function called ‘hashing’.

This function turns the readable password into what appears to be gobbledegook. This is the “password hash” and it is this that the website stores. The clever thing about hashing is that it’s very hard to turn the hash back into the password. As a user, when you return to a website and enter your password, the hash is calculated and compared to the one already stored. If they match, you’re in.

If a cybercriminal somehow gets hold of the list of password hashes there are some attacks they can use to try to recover passwords. Firstly they might try a ‘dictionary attack’ — putting lists of known words (including common substitutions such as ‘1’ instead of ‘i’) through the same function and see if they result in the same hash. If they do, they have your password.

This might sound like a lot of work but with modern computing it really only takes seconds. If this doesn’t work the cybercriminal could try to ‘brute force’ the hash. This means trying every possible combination of characters until the password is found. Long random passwords and the inclusion of special characters make this harder for a computer to work out. Fortunately, most websites have protections against brute force attacks (this one does).


If stopping a cybercriminal breaking your password relies on long and complex passwords, where does the three random words concept come from?

Well, super-long and complex passwords aren’t necessarily the best option for a number of reasons:

It’s Not All Math

Math is great, but not at the expense of the users.

It is really, really hard for a user to remember lots of complex, unique passwords. What happens is that we come up with coping mechanisms which are well known to cybercriminals, and which they can and do exploit in order to attack our accounts.

So, ironically, using long and complex passwords sometimes just plays right into attackers’ hands.

For example using ‘Pa55word!’ may follow the rules of a website, but is a bad password as it’s quite guessable.

Typically if a cybercriminal has the hashes to attack they will break them whatever rules are put in place.

Salt With That?

Actually, when a website processes your password it stirs in some other information as well, like your username. This is called salting. Combined with three random words, this provides a reasonable amount of protection from attack.

How Did They Get The Hash?

We glossed over the cybercriminals getting hold of the files containing all of the password hashes. If a website is well designed this should be really hard for a cybercriminal to do.

This is also why we recommend separate passwords for sites that are important to you (like your email) to things like web forums, that aren’t. If one website doesn’t look after the password hashes properly, that shouldn’t allow easy access to the things that are important to you.

Hard To Guess

Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability.

Ultimately, It’s Your Choice Of Course, But Hopefully, This Has Helped To Make Your Password Choices A Little Bit More Informed!

Courtesy of the U.K. National Cyber Security Centre, United Kingdom




SCARS the Society of Citizens Against Relationship Scams Incorporated


A SCARS Division
Miami Florida U.S.A.



TAGS: SCARS, Important Article, Information About Scams, Anti-Scam, SCARS™ Cyber Basics, Three Random Words, Better Passwords, more Secure Passwords, Thinkrandom

The Latest SCARS|RSN Posts



More Information From

– – –

Tell us about your experiences with Romance Scammers in our
« Scams Discussion Forum on Facebook »

– – –

FAQ: How Do You Properly Report Scammers?

It is essential that law enforcement knows about scams & scammers, even though there is nothing (in most cases) that they can do.

Always report scams involving money lost or where you received money to:

  1. Local Police – ask them to take an “informational” police report – say you need it for your insurance
  2. U.S. State Police (if you live in the U.S.) – they will take the matter more seriously and provide you with more help than local police
  3. Your National Police or FBI « »
  4. The SCARS|CDN™ Cybercriminal Data Network – Worldwide Reporting Network « HERE » or on « »

This helps your government understand the problem, and allows law enforcement to add scammers on watch lists worldwide.

– – –

Visit our NEW Main SCARS Facebook page for much more information about scams and online crime: « »


To learn more about SCARS visit « »

Please be sure to report all scammers
« HERE » or on « »


SCARS™ Cyber Basics: Three Random Words 2


All original content is Copyright © 1991 – 2020 SCARS All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

SCARS, RSN, Romance Scams Now, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, are all trademarks of Society of Citizens Against Relationship Scams Incorporated.

Contact the law firm for the Society of Citizens Against Relationship Scams Incorporated by email at

Share This Information - Choose Your Social Media!

Please Leave A Comment - Tell Us What You Think About This!