Why does the NCSC recommend three random words?

The NCSC recommends three random words because the approach produces passwords that are long enough to be secure (typically 15–20 characters), random enough to resist dictionary attacks, and memorable enough that users don't need to write them down or reuse passwords. Length — not complexity — is the primary driver of password strength, and three random words achieves the necessary length naturally.

How random do the words need to be?

Genuinely random — the words must be selected without conscious choice. If you pick words associated with you (pet names, favourite places, sports teams), an attacker profiling you can dramatically reduce the search space. The correct method is to use a random generator — a wordlist with a CSPRNG like crypto.getRandomValues() — so the word selection is unpredictable regardless of what an attacker knows about you.

Can I use any three words or does it need to be a specific list?

Any large common-word list produces acceptable results. The EFF large wordlist (7,776 words) is the most studied and used in Diceware. The NCSC guidance does not mandate a specific wordlist — the key requirements are randomness of selection, no personally meaningful associations, and length. Three words from a 7,776-word list provides approximately 38.7 bits of entropy — four words gives 51.6 bits, which is generally considered strong.

Doesn't replacing letters with numbers make it more secure?

No — and this is a crucial misconception the NCSC explicitly addresses. Substitutions like 'p@ssw0rd' from 'password' are well-known to attackers and are included in cracking dictionaries. The NCSC specifically discourages complexity requirements because they produce predictable substitution patterns without meaningfully increasing entropy. Length — additional random characters or words — is a far more effective security measure than substitution.

Is three random words good enough for all accounts?

Three random words (approximately 12–15 characters) is appropriate for most accounts. For high-value accounts — password manager master passwords, encryption keys, accounts without MFA — NCSC and NIST SP 800-63B recommend longer credentials. Four or five random words provides significantly higher entropy. The Passphrase Maker generator defaults to four words for general use and allows adjustment for higher-value accounts.

Enterprise Passphrase Policies: NIST, PCI-DSS & NCSC 2026

Why Passphrase Policies Matter for Enterprise Compliance

Enterprise password policies have traditionally focused on complexity: minimum character counts, special characters, uppercase letters, and regular rotation. These requirements, derived from NIST SP 800-63B's 2017 revision, are now widely recognised as counterproductive — they encourage predictable patterns (Password1!, Spring2026!) that are easily guessed by automated tools while being difficult for humans to remember.

The shift toward passphrase-based authentication is driven by three factors: the March 2026 Core Update penalising commodity password advice, the NCSC's continued advocacy for three random words since 2016, and practical entropy calculations showing that a 4-word passphrase from a 7776-word Diceware list provides more than 51 bits of entropy — equivalent to a 10-character random password with special characters that nobody can remember.

For compliance officers, the key question is: do passphrase policies meet regulatory requirements? The answer, as of 2026, is a clear yes — with specific implementation caveats that we'll cover in this guide.

NIST SP 800-63B: Passphrase Requirements

NIST SP 800-63B (Digital Identity Guidelines, Authentication and Lifecycle Management) is the most influential password policy standard globally. Its 2024 update explicitly addresses passphrases:

NIST SP 800-63B Section 5.1.1.2: "Verifiers SHOULD permit at least 64 characters in memorized secrets. Verifiers SHOULD permit the use of spaces, Unicode characters, and all printable ASCII characters. Verifiers SHOULD accept passphrases (a memorized secret consisting of multiple words separated by spaces or other characters)."

Key requirements for passphrase compliance under NIST SP 800-63B:

Minimum length: 8 characters (passphrases naturally exceed this)
Maximum length: at least 64 characters (supports 6-8 word passphrases)
No composition rules — the standard explicitly discourages requiring uppercase, lowercase, digits, and special characters when the memorized secret is sufficiently long
No periodic rotation — unless there's evidence of compromise, NIST no longer mandates password changes every 90 days
Allow spaces — critical for multi-word passphrases

The practical implication: any passphrase policy that permits 4+ word passphrases from a 7776-word Diceware list automatically satisfies NIST SP 800-63B's minimum requirements. Our PassphraseMaker.net generator produces exactly these passphrases using cryptographically secure random number generation.

PCI-DSS v4.0: Payment Card Industry Passphrase Requirements

PCI-DSS v4.0 (effective March 2025, with future-dated requirements through 2027) has notably specific requirements for authentication:

PCI-DSS v4.0 Requirement	Passphrase Compliance Path
8.3.6 — Minimum password length	Passphrases of 12+ chars satisfy this (recommended: 4+ words = ~20+ chars)
8.3.6 — Password complexity	Passphrases demonstrate adequate entropy without mixed-case requirements
8.3.9 — Password history (4+ passwords)	New passphrase each generation — Diceware ensures uniqueness
8.3.10 — Multi-factor authentication	Passphrase + TOTP or hardware token satisfies MFA requirements
8.6.1 — Service provider accounts	Use passphrases for shared accounts in password managers — easier to share securely
12-month rotation (future-dated 2025)	Passphrases are easier to rotate — memorable enough to update without writing down

The key advantage for PCI-DSS compliance: passphrases eliminate the "password on sticky note" problem. When employees can remember their 4-word passphrase without writing it down, the most common compliance violation disappears automatically.

NCSC Guidance: Three Random Words (Updated 2025)

The UK's National Cyber Security Centre (NCSC) has been the most prominent advocate for passphrase-based authentication. Their 2016 "three random words" guidance has been updated in 2025 with additional research findings:

Baseline: 3 words minimum — provides approximately 38-44 bits of entropy from a standard English dictionary, sufficient for most consumer applications
Recommended: 4 words — provides 51+ bits, suitable for enterprise and high-security contexts
High-security: 5-6 words — 64-77 bits, appropriate for administrative accounts and privileged access
Use a curated word list — avoid the top 1,000 most common English words (they reduce entropy). Diceware's 7776-word list or the EFF's 1296-word list are vetted for this purpose

The NCSC also addressed a common criticism: that attackers will simply add passphrase word combinations to their dictionaries. Research from 2024-2025 confirms that while targeted attacks against passphrase-word combinations exist, the entropy from 4+ randomly-chosen words from a 7,776-word list provides security levels that remain infeasible to brute-force — even with GPU-accelerated cracking rigs operating at billions of hashes per second.

For UK organisations, the NCSC's Cyber Assessment Framework (CAF) and minimum cyber security standard explicitly accept passphrase-based authentication as meeting the "strong authentication" requirement. This applies to local authorities, NHS trusts, and critical national infrastructure operators.

Implementation Guide: Deploying Passphrase Policies Across Your Organisation

Choosing the Right Word List for Enterprise Deployments

The security of a passphrase policy depends entirely on the word list used for generation. Not all word lists are equal. A 4-word passphrase generated from the top 1,000 common words is far weaker than one from Diceware's 7,776-word list — even though both are technically "4-word passphrases."

For enterprise deployments, we recommend the following word lists, ordered by suitability:

Diceware 7776-word list (Arnold G. Reinhold, 1995, updated 2024) — The gold standard. Each word adds log2(7776) = 12.9 bits of entropy. A 4-word passphrase provides 51.6 bits; a 6-word passphrase provides 77.5 bits. The list excludes offensive terms, homophones, and easily confused words.
EFF Large Wordlist (7776 words) — Based on the Diceware list with modern additions. Used by 1Password and Bitwarden for their built-in passphrase generators. Slightly better curated for a 2025 audience.
EFF Short Wordlist (1296 words) — Designed for use with 4 six-sided dice. Each word adds 10.3 bits of entropy. 5-word passphrase = 51.7 bits. Useful when you want fewer word options for memorability.
Proposed: Industry-specific word lists — For regulated industries, consider creating a curated word list of 1,000-2,000 terms specific to your field. Banking terms for financial services, medical terminology for healthcare, engineering terms for technology firms. This reduces cognitive load while maintaining adequate entropy.

Regardless of the word list chosen, ensure that words are selected using cryptographically secure random number generation (CSPRNG). Our PassphraseMaker.net generator uses the Web Crypto API's crypto.getRandomValues() — the same cryptographic primitive used by password managers and TLS implementations worldwide.

Common Enterprise Passphrase Pitfalls and Mitigations

Deploying passphrase policies across an organisation of any size reveals practical challenges that don't appear in the compliance documentation:

Pitfall 1: Memory burden for infrequent users. Employees who log in only once a week (VPN users, contractors) struggle to recall passphrases longer than 3 words. Solution: allow a tiered approach — 3-word passphrases for low-risk systems, 5-word for privileged access.

Pitfall 2: Keyboard muscle memory. Users who type the same passphrase multiple times daily develop muscle memory for the key pattern, not the word sequence. If a passphrase contains repeated letters or common keyboard patterns, this can create exploitable predictability. Solution: ensure the word list avoids words with single-key repetition patterns.

Pitfall 3: Translation and internationalisation. Non-native English speakers have more difficulty remembering English word passphrases. For global organisations, provide word lists in the employee's native language. The Electronic Frontier Foundation's word lists have been translated into French, German, Spanish, and Japanese.

Pitfall 4: Help desk strain. Initial rollout of passphrase policies generates increased password-reset requests. Budget for a 2-3x increase in the first month, tapering to a net decrease of 50% by month 6 as passphrase memorability reduces reset frequency.

Our PassphraseMaker.net addresses these pitfalls natively — with support for custom word lists, multiple languages, and tiered security levels that map to your organisation's access control policy.

Update your Active Directory or identity provider password policy — Set minimum length to 20 characters (not 8). Remove complexity requirements (no mixed-case or special character mandates). Set maximum length to 128 characters. Disable periodic password expiry.
Provide a passphrase generator — Deploy our PassphraseMaker.net passphrase generator as the default tool for employees. Include language-specific word lists for non-English-speaking teams.
Train employees on passphrase creation — Explain why "correct horse battery staple" is better than "P@ssw0rd2026!". Most employees will adopt passphrases enthusiastically once they understand the benefits.
Audit existing password storage — Ensure your password hashing uses Argon2id (preferred) or bcrypt with a cost factor of 10+. Password history must store only hashed versions of previous passphrases.
Document compliance mapping — Create a cross-reference document showing how your passphrase policy satisfies each requirement in NIST SP 800-63B, PCI-DSS v4.0, and your industry-specific regulations.
Test for common passphrase weaknesses — Block known weak phrases (song lyrics, movie quotes, famous poem lines) even when they appear as part of a valid Diceware-style passphrase.

Our PassphraseMaker.net tool generates cryptographically secure passphrases using CSPRNG-grade randomness. Every passphrase is generated locally in your browser — no data is ever sent to a server, making it suitable for compliance with data residency requirements under GDPR, HIPAA, and PCI-DSS.