NCSC Sticks by ‘Three Random Words’ Strategy for Passwords

  • Combining three random words is more effective than using complex combinations for passwords, says the National Cyber Security Council (NCSC).

    An NCSC blog post dated August 9 explains how this train of thought or “think random” helps to “keep the bad guys out.” The post follows on from a previous one from nearly five years ago, “Three random words or #thinkrandom.”

    According to the post, enforcing “complex requirements” for passwords is a poor defense against guessing attacks. This is because “minds struggle to remember random character strings,” and, being human, we use “predictable patterns” to meet the required criteria.

    Cyber hackers are all too familiar with this and use it to make their attacks more effective. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches.

    “Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” says the NCSC post. “Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).”

    The NCSC also advises that the “continued low uptake of password managers to store and generate passwords” leads to this predictability. It has encouraged organizations and people to use them for a while.

    “Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily,” explains the NCSC blog post. “This is also good for those who aren’t aware of password managers, or are reluctant to use them.”

    The NCSC says that the three random word theory is effective because of the length, impact, novelty and usability.

    For some, the NCSC appreciates that this tactic might be a concern due to previous behavior patterns. However, it advises that people adopt the “think random” technique and respond to search algorithm optimization, weaker passwords and poor password recall.

    “We do appreciate that some system owners may have concerns using the three random words technique over others,” says the NCSC. “It may not be necessary across all organizations.

    “However, if you’re not using ‘three random words’ for any of the following reasons, then you may want to consider adopting it.”

    According to Nordpass’ ‘Top 200 most common passwords of the year 2020’, the top passwords are “123456”, “123456789” and “picture1”.