Three Random Words Password Generator

Free, browser-only passphrase generator following the UK NCSC three random words method.

By Mat at INLine Computers · 100% in your browser · Nothing stored

The NCSC three random words method, in one paragraph

The UK National Cyber Security Centre (NCSC) recommends building a password from three unrelated words such as RiverPianoLamp or OctopusBoxcarHat. Why? The resulting passphrase is typically 16–24 characters long, which is far harder to crack than a typical "complex" 8-character password — and you can actually remember it.

This generator picks the words for you. Use it once per account, ideally with a password manager to remember the rest.

Generate your three random words passphrase

Your new passphrase:

The NCSC also recommends a password manager.

A three-word passphrase is great for one important password — but you have dozens of accounts. A password manager remembers a unique strong password for every one. Disclosure: the links below are affiliate links.

Try NordPass Try Bitwarden (free tier)

How to use the three random words method

  1. Generate three unrelated words. Click Generate. The tool picks three words with no obvious connection.
  2. Reject anything personal. If a word strongly relates to you (a pet name, your team, your town), click Generate again. The whole point is unpredictability.
  3. Choose how to join the words. A separator (hyphen, dot) is fine. Adding a random special character or a number bumps the entropy further if a site insists on "complexity".
  4. Use the password for one account. The single biggest reason accounts get compromised isn't weak passwords — it's reused passwords. Store it in a password manager and let the manager generate the rest.

Strength, entropy, and Cyber Essentials

Is it actually strong?

A three-word passphrase drawn from a pool of around 5,000 common words has roughly 37 bits of entropy — broadly equivalent to a random 7-character mixed-case password, but a great deal more memorable. Add a number or special character and you're well above the strength of a typical "complex" 8-character password. Add a fourth word and you exceed almost any character-based password in everyday use.

UK Cyber Essentials v3.3

From 27 April 2026, Cyber Essentials user accounts must use a minimum of 12 characters where MFA is enforced, or 14 characters where it is not. A typical three-word passphrase from this generator runs to 16–24 characters and clears both bars comfortably. You'll still need MFA on every cloud service that supports it, and a deny-list of common breached passwords on accounts where MFA isn't possible.

Three Random Words Generator — FAQ

The UK National Cyber Security Centre recommends three random words because the resulting passphrase is long enough to resist automated guessing but short and structured enough that a person can actually remember it without writing it down. Length matters more than character variety once a password is reasonably long.

Roughly 37 bits of entropy from a 5,000-word pool — comparable to a random 7-character mixed-case password but far more memorable. Adding a number or symbol pushes you well above typical "complex" 8-character passwords.

Yes. Paste text into the source text box and the generator will extract distinct words from it. Tick "Use only pasted words" to ignore the built-in lists. Useful if your organisation prefers a curated wordlist.

A typical three-word passphrase is 16–24 characters, exceeding the 12-character minimum for Cyber Essentials v3.3 user accounts (with MFA) and the 14-character minimum (without MFA). For full policy compliance you also need MFA where available and a blocklist of common breached passwords.

Pick a fixed separator (space, hyphen, dot) or let the tool insert a random special character like @ or ! between each word. Separators add a small amount of extra entropy and help with sites that insist on a non-letter character.

No. Generation happens entirely in your browser using JavaScript. Nothing is sent to a server, logged, or stored.