Passwords containing three random words are better than ‘daft’ complex passwords
2 min readThree random words make for a better password than “daft” long strings of symbols, letters and numbers, Government spy chiefs have said.
The National Cyber Security Centre (NCSC), part of Government Communications Headquarters (GCHQ), are urging people to create passwords that are easy to remember yet strong enough to keep online accounts secure from cyber criminals.
The advice comes as cyber crime has soared during the pandemic, with online fraud rising 70 per cent in the last year, according to data from the Office for National Statistics.
The NCSC recommends using “three random words” instead of more complex passwords which can be more guessable for criminals and the software they build to detect them.
The agency says cyber criminals target predictable means supposed to make passwords more complex – like substituting the letter o with a zero, or the number one with an exclamation mark.
Criminals allow for such patterns in their hacking software, which negates any desired added security from such passwords.
“Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” the agency said.
By contrast, passwords constructed from three random words tended to be longer and harder to predict, and used letter combinations which were more difficult for hacking algorithms to detect.
In a blog post, the agency noted the three random words approach was not 100 per cent safe since people might use predictable word combinations, but said a major advantage of the system was its usability “because security that’s not usable doesn’t work”.
NCSC technical director Dr Ian Levy said: “Traditional password advice telling us to remember multiple complex passwords is simply daft.
“There are several good reasons why we decided on the three random words approach – not least because they create passwords which are both strong and easier to remember.
“By following this advice, people will be much less vulnerable to cyber criminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”
