What3words again

« previous post | next post »

A friend's note:


is an app that assigns a three-word combination to every 3-meter square in the world.

My dad's living room is at acid.tribe.dwell …. ;-)

I wrote about this a few years ago — "Three words",  1/14/2016:

As I write this, I'm sitting in the middle of  intend.agree.aware. Or alternatively, cèdre.permettre.lune.

Or, if you prefer, ambara.özüne.konuyu, or эпос.стукнуть.напрасный, or geflogen.aufhält.vollkommen, or mdogo.sokoni.yapenda, or …

At this moment, my current location is https://w3w.co/choice.views.cars.

As it happens, I wrote a little script some time before that, to choose random 3-word sequences as a starting point for passwords (also modifying case, subsituting numbers and symbols here and there, etc.). Most of the basic three-word sequences chosen by that program are rejected by what3words as possible locations.

That's probably because my script used a word list that's too big. It has 74286 entries, and 74286^3 is about 4.1+14.

The earth's surface area is about 509,600,000 km^2, or 5.069e12 m^2.

And 5.096e12^(1/3) is 17208.5.

So my word list is about 4.3 times too large  (74286/17209 = 4.316695), and it makes sense that  most of my program's outputs don't yield valid what3words locations — this morning, three tries yield one hit:


That last one names a square meter in the Atlantic off of Nova Scotia:

And it's true that "vials.priority.conceived" is easier to remember (and even to type) than "41.75791 -62.09459". But it's not as explainable, as the AI folk say.




  1. Michael P said,

    March 30, 2022 @ 6:57 am

    While your word list might be too big, your password might be too small. 74286 words gives a bit over 16 bits of entropy per word, so three words gives only 48 bits of entropy. That's safe as long as it's used with a secure password hashing mechanism (at least 32 bits of salt, preferably also a memory-hard function) but a weak algorithm would make it unsafe.

    But — and here is the linguistic hook — that is only as much randomness as using four words from a 4500-word list. A shorter word list (such as based on Diceware or EFF's alternative list) allows each word to be shorter, and in theory easier to recall.

    Similarly, Bitcoin software can use a "seed phrase" of 12, 16, 20 or 24 words chosen from a 2048-word list, with some bits used for error detection.

    [(myl) I make brute-force attacks a little harder by capitalizing a few letters here and there, changing some a's and o's and e's and s's to @'s and 0's and 3's and $'s (or whatever), etc. But I can still remember a few of the results, and type them if required to.]

  2. Miles said,

    March 30, 2022 @ 8:02 am

    Some corrections:

    Surface area of the Earth is around 5.1 x 10^14 m^2 , but area of each square in W3W is 9m^2 so there are 5.67 x 10^13 squares, which is the cube of 38,412. So your list is twice the W3W list.

    That suggests your generator would hit a valid W3W location 1 time in 7 (assuming all W3W words are in your list).

    [(myl) Oops, sorry, I grievously misunderstood "3 meter square". Somewhat excused by the time in the morning, pre-coffee…]

  3. Yuval said,

    March 30, 2022 @ 8:03 am

    Maybe I'm overdue for my next coffee of the day, but isn't there a factor of 9 missing there (3-meter-side squares rather than 1-meter-side squares)?

  4. Miles said,

    March 30, 2022 @ 8:07 am

    Actually, W3W on their website ("About" section) say they have enough words to address 64 trillion places (but only use 57 trillion addresses), suggesting a wordlist of 40,000.

  5. Ferdinand Cesarano said,

    March 30, 2022 @ 10:33 am

    If W3W are using only some of the possible combinations, this suggests that they are choosing to omit some possible combinations.

    Yet this vetting process hasn't prevented the existence of the following combinations:


    …and many other similarly unpleasant ones.

  6. Tom MacWright said,

    March 30, 2022 @ 12:59 pm

    I'd love to add some detail here – the overview is that what3words has a bad reputation amongst most people involved in addressing and maps.

    Some of the reasons for that:

    Their dataset is proprietary, so countries and apps that use what3words are tied to a small British startup's success or failure. They could start charging… for addresses, if they wanted to. There are better alternatives, like normal addressing, geohashes, Google Plus codes, all of which are public domain, like you would expect addresses to be.

    what3words themselves "tweaks" addresses by choosing different words for different places. From a post-colonial perspective, the idea that someone in a small British startup gets to change addresses in arbitrary countries is wildly upsetting.

    what3words aren't really "addresses" as much as locations. They're inferior to addresses in most ways: you can't refer to "apartment 4" in w3w. If a building's door moves down the street, the w3w address you've shared now refers to the wrong place. Builds have multiple what3words combinations.

    what3words are dangerously designed with easily-confused words – for example, two locations, one with "sheets" as a word and the other with "sheet", a few miles away from each other. Could the dispatcher hear the difference between the words over the phone?

    In short, what3words is a charming idea that doesn't work in practice. It is worse than the alternatives. The countries using it would be better served by adopting "normal" street-oriented address systems, which they could own and control themselves. what3words sells them a defective system and ties the fate of their addressing system to a small British startup.

    The company has done well by harnessing the charming power of the idea and selling to developing countries – a common and ethically hazardous technique for startups. They're brilliant at marketing and they keep getting coverage. But it's a bad technology with dangerous consequences.

  7. Peter Madre said,

    March 30, 2022 @ 2:11 pm

    @Ferdinand yeah I can see your point ..it can lead to some nasty ones. But it's a fun thing to have and those words exist so I don't know …it was bound to happen and hard to prevent

  8. Nelson said,

    March 30, 2022 @ 2:12 pm

    What3Words tries very hard to keep their word list and assignment algorithm proprietary; it's literally their only means of seeking rent. It's part of why it's totally unsuitable as an actual addressing infrastructure.

    But if you want to understand how it works and examine the word lists, there is a compatible implementation called WhatFreeWords floating around out there. I won't link it here and it may not be easy to find because the company has taken a very aggressive and inappropriate legal stance trying to wipe this information out.

  9. Ferdinand Cesarano said,

    March 30, 2022 @ 3:17 pm

    For some reason, the people behind W3W seem to think that the haphazard distribution of names is a good thing. However, if no relationship exists amongst location names, then a user cannot begin to guess how far one square is from another.

    By contrast, Google Plus codes, which divides the world into similarly small chunks as W3W does, is simply a re-encoding of latitude and longitude. So any user can tell at a glance the relationship between two zones. For instance, in New York City, the two zones


    …are obviously adjacent.

    Whereas, the W3W notations for the roughly equivalent locations


    …have no relationship whatsoever to one another.

    So I agree with Mr. MacWright that W3W should not be used by countries or by services. But I will disagree with Mr. MacWright on the question of whether W3W is a charming idea, as I think the very idea is faulty, for the reason I just mentioned.

    (It's true that W3W refers to locations, rather than strictly to addresses. But that could be said as well for Plus Codes, and also for latitude and longitude. None of these systems accounts for the third dimension. So I don't see that as a drawback specifically of W3W.)

    The idea that W3W is useful for emergency services is incomprehensible. Emergency services would clearly be better off using Plus Codes, or even the latitude/longitude coordinates on which the Plus Codes system rests. Lat/long coordinates are already well-established, and are universally understood; indeed, even Google, the creators of Plus Codes, gives the lat/long coordinates in Google Maps for every point, along with the Plus Code. While I really like Plus Codes, I have to admit that the full Plus Code of 87G8P2P3+W6 is not really any easier to handle than the traditional coordinates of 40.7373,-73.9970. But either one is far preferable to W3W, for the reasons already mentioned. (I will note in addition that W3W's location names are not only incoherent and proprietary, but they are also different for different languages! So each point on Earth has fifty different W3W designations — one for each of the languages in which W3W can be used.)

    Futhermore, W3W's claims of precision are ridiculous. Latitude/longitude coordinates are as precise as needed for any given use, considering that they can include any number of digits after the decimal point.

  10. Gregory Kusnick said,

    March 30, 2022 @ 4:00 pm

    About 25 years ago I implemented a scheme for displaying 32-bit error codes as three-word strings, so users could report problems as "steam horse razor" or similar, rather than as unmemorable strings of hexadecimal digits. The 32-bit space is small enough that a dictionary of ~1600 words suffices, so I was able to keep the words short and exclude homophones and other sources of ambiguity.

    My employer at the time thought this scheme original enough to obtain a patent on it. I would not want to hazard a guess as to whether W3W's method infringes that patent.

  11. Chester Draws said,

    March 30, 2022 @ 5:57 pm

    Any patent will have expired.

  12. poftim said,

    March 31, 2022 @ 5:36 am

    Are the "addresses" entirely random? I'm not trying to defend what3words at all, but I was under the impression that sheep.parrot.pike was deliberately designed to be hundreds of miles (at least) from any of sheet.parrot.pike, sheet.carrot.pike, sheep.parrot.pipe, etc. so the situation that Tom MacWright describes shouldn't arise.

  13. Nelson said,

    March 31, 2022 @ 9:21 am

    What3Words claims they designed the system to avoid similar words being a problem but they failed at that. And I imagine they have a difficult time fixing it; they can't break old locations, afterall. Some details on all the flaws here: https://cybergibbons.com/security-2/why-what3words-is-not-suitable-for-safety-critical-applications/

    There's some wonderful What3Words parodies. What3Emojis is the most trenchant of them. There used to be the delightfully named What3Fucks but it's gone, although Four King Maps has now filled the need for a vulgar word location system. (At least, for the UK & Ireland; because as the site says "only so many swear words to go around".)

  14. Terpomo said,

    March 31, 2022 @ 12:37 pm

    Mia Mulder has done a rather long video essay on the issues with What3Words
    (I keep meaning to check out more of her work and forgetting.)

  15. Chas Belov said,

    March 31, 2022 @ 3:50 pm

    The main issue with using three words for a password is that you still have to remember which three words go with which website. (¿You are using a different password for each website, aren't you?)

    I'm afraid I'm entirely too private to share my three meter word combination.

  16. davep said,

    March 31, 2022 @ 11:14 pm

    W3W is more cute than useful. "Problematic" (in multiple ways) seems apt.

    W3W requires internet access and a particular website to work.

    Plus Codes (the complete form) don't (they do require a computer to decode but it uses a simple algorithm).

RSS feed for comments on this post