No, using 3 random words isn't "a really bad idea". That's complete nonsense.
The only "really bad idea" for passwords is password reuse. A unique 14 character three word password for each site you use will protect you from the threats you face online.
The fact that someone can relatively quickly crack your password if you used 3 random words is meaningless. That only works if they knew that you did that in the first place. Capitalize one random letter in all of that, throw a number between the second or third letter, add dashes, whatever and they're totally screwed. Game over, you win.
Even if they know it doesn't matter. Online password brute force attacks are extremely rare. If you don't reuse passwords then offline attacks don't really matter to you.
Password reuse, or even following a simple pattern for having different password for each site (i.e. a seed+site name) is the main problem here. If one site falls, then it should not be trivial to deduce your password or how to attack it for other, maybe more important or secure, sites.
So they brute force an account (a not insignificant effort and the attacker now sees your password of "fuzzykittytoes". What are they going to do with that information?
Target a bank with it? They can't bruteforce a 14 character password for the bank over the internet. What trivial method would you use to get into your bank account, if you didn't reuse that password?
agreed, the threat of online passwords is a break-in revealing the password database which happens to be in plain text 'ooops!'
and even if the password list is not in plain text, but the attacker manages to find your 3-word password, if you didn't reuse that password any where else, then it can't be used to get into any of your other accounts.
and for the account for which they found your password, they already broke into that system, so no additional loss here either.
You can't say "The fact that someone can relatively quickly crack your password if you used 3 random words is meaningless" and "isn't a really bad idea" in the same sentence.
"Capitalize one random letter in all of that, throw a number between the second or third letter, add dashes, whatever and they're totally screwed"
So.... ignore the "just use 3 words" advice completely and add random letters, numbers and dashes to make it secure? You'll find that's the advice we've given for years... and it too is ignored.
No it is not if you assume people who crack passwords are dumb and brute force everything. Second part you assume people are good at making random words on the spot, if you make password for linkedin, probably many will end up "linked blue somethig".
In reality brute force is last resort, you have dictionaries, walks on keyboard. You can also use additional data about your target if you have database like name etc.
On the other hand, if you use a password manager to keep track of all those different passwords, just make them random 128bit hex values, you won't need to memorize them anyway.
The only "really bad idea" for passwords is password reuse. A unique 14 character three word password for each site you use will protect you from the threats you face online.
The fact that someone can relatively quickly crack your password if you used 3 random words is meaningless. That only works if they knew that you did that in the first place. Capitalize one random letter in all of that, throw a number between the second or third letter, add dashes, whatever and they're totally screwed. Game over, you win.