Bad passwords are easy to remember, but also easy to guess — and that can give an attacker access to your online accounts.
That’s why the UK’s National Cyber Security Centre (NCSC) has explained why it is still recommending users pick three random words for a password rather than meeting complex requirements, such as an alphanumeric string, that could permit the creation of bad passwords like “pa55word”.
The NCSC’s past warnings against password complexity requirements have been aimed at admins responsible for protecting IT systems. NCSC has called on organizations previously to ditch password-expiry policies because they encourage users to pick slight variations on existing passwords; Microsoft in 2019 dropped its recommendation for expiring passwords on Windows 10 because the policy was obsolete and unhelpful.
NCSC is also critical of advice that passwords must be memorized and not stored. NCSC encourages people to store them in a password manager, a browser, or on a piece of paper.
The main reason it’s encouraging three random words is to address the fact that people are poor at memorizing things — especially long, complex passwords — and that password manager adoption remains “very low”.
Its three random words suggestion is also aimed at those who aren’t aware of or don’t want to use password managers.
But there are other reasons why NCSC vouches for three random words, including that they produce longer passwords, it’s an easy-to-explain and understands password strategy, and because it’s usable and practical.
The other key reason is that three random words help increase password diversity, which makes it harder for attackers to use search algorithms to discover passwords cheaply and then compromise accounts.
“Currently, complexity requirements are actively working against password diversity (for all the reasons mentioned above). This has led to a convergence in strategies and a reduction in password diversity,” explains Kate R, the people team lead for NCSC’s Sociotechnical Security Group.
“To increase diversity, we need to encourage people to use other password construction strategies (such as ‘three random words’), that use length rather than character sets to achieve the desired strength.”
While NCSC endorses the use of password managers and believes they also increase password diversity, it’s encouraging three random words until the uptake of password managers is more widespread.
The three random words advice roughly aligns with Google’s recommendations for protecting Google Accounts. To make passwords longer but also memorable, Google recommends using a lyric from a song or poem, a meaningful quote from a movie or speech, a passage from a book, a series of words that are meaningful to the user, or creating an acronym from a sentence.
NSCS acknowledges there are search algorithms that are optimized for three random words, but Kate R argues that more password diversity raises the cost for attackers since they must try several algorithms.
She also notes that NCSC hopes more people will adopt password managers and that this will also increase password diversity, so the three random words recommendation still makes sense until password manager adoption is universal.