The UK’s National Cyber Security Centre is again reminding people that a combination of three random words is one of the safest and most secure passwords you can have. So if your password is ‘password123’, you might want to look at changing it ASAP.
In a lengthy blog post, the NCSC claims that “using three random words is still better than enforcing arbitrary complexity requirements” for password safety.
“Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. This is also good for those who aren’t aware of password managers, or are reluctant to use them,” the NCSC writes.
Basically, three random word combinations are strong but easy to remember, which means it hits the sweet spot for being a good password.
“Traditional password advice telling us to remember multiple complex passwords is simply daft,” technical director, Dr Ian Levy, said on the NCSC website.
“There are several good reasons why we decided on the three random words approach — not least because they create passwords which are both strong and easier to remember.
“By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”
Obviously, password managers like 1Password that generate and store super secure password combinations are recommended, but the three word method is a helpful alternative.
For starters, multiple words or ‘passphrases’ are generally longer than single-word passwords. This means your passphrase will meet any length requirements without being as obvious as adding ‘123456789’ to the end of your password.
Additionally, these passwords don’t use predictable strategies like replacing the letter ‘o’ with a zero, or a 1 with an exclamation mark, which makes it harder for cybercriminals to hack your accounts.
‘Novelty’ is also a major reason why three word passwords are so successful, with the NCSC claiming that it encourages users to create new, unique combinations for each website.
The NCSC promotes ‘password diversity’ over the complexity requirements that we currently have to abide by with most popular websites.
According to the NCSC, “complexity requirements are actively working against password diversity”.
“This has led to convergence in strategies and a reduction in password diversity. To increase diversity, we need to encourage people to use other password construction strategies (such as ‘three random words’), that use length rather than character sets to achieve the desired strength,” the NCSC writes.
“This effectively encourages the adoption of passwords that are currently unused, increasing password diversity in the ecosystem.”
But until we can work on fixing the complexity requirements issue, the official NCSC advice is to opt for three phrase passwords for optimal password safety.