technology

If it's three words together, they can't really verify one word by itself. That's why it's secure. They would have to test all combinations of three words which would take forever. The reason dictionary attacks work is because people use one word (password), a simple modification of a word (password1!), or a simple common phrase (openssesame1!). The technique is just hoping someone was being ignorant or negligent. But you're right, they would have to crack all three words in sequence, which means testing all combinations of three words. That's hard to do.

This is why social engineering is much more important. To even get close to cracking all three words they would have to get to know you, assuming you're using something related to yourself like a relative's name, your favorite movie, an inside joke between friends. A targeted attack against you will probably start with social engineering rather than brute forcing your passwords. A random attack is like people who walk down the street looking for an unlocked car door. They're just trying to find someone who isn't secure, not you specifically, and therefore probably wouldn't start with getting to know you.

You want your dictionary to be as small as possible. You can scrape Oxford to a text file and use that, but you're wasting so much time on thousands of words that are unlikely to be relevant. So rather than just using random words they use common words, phrases, and variations of those in their dictionaries. An actual dictionary probably wouldn't contain correct, horse, battery, or staple. It's more likely to be password, password1, password2, etc and then the other common stuff people use for passwords. If you're a targeting someone specific, you would make a custom dictionary specific to their life.