“3 Random Words” Strategy

Nov 4, 2024

For many years, the accepted security advice has been that using multi-factor authentication and long, complicated passwords with plenty of symbols and digits is the gold standard for password protection. Attacks on accounts that have been compromised have grown by 20% in the previous year, and this is thought to be the greatest strategy to lessen them.

However, the NCSC reinforced its recommendation in a recent blog post that using a combination of three random words is a far more efficient method to secure account access than using an extremely complex password. This essay will dissect the NCSC’s recommendations, outline the drawbacks of using excessively complicated passwords, and discuss the best practises for managing password complexity in the workplace. 

Why is it Not Advisable to Use Complex Passwords?

Using a simpler password could seem counterproductive. That would undoubtedly be less secure. Perhaps not, then. Even if more complicated passwords are more difficult to crack, the majority of individuals don’t choose passwords that are safe enough for this to be a consideration. 

Let’s step back a moment. Cybercriminals primarily employ three sorts of assaults to try and acquire credentials. Social engineering is first. Cybercriminals are attempting to use phony login pages or other tricks to get your password from you. No matter how safe your password is, they’ll have it if this assault succeeds. Multi-factor authentication is crucial in this situation. 

Attacks using brute force are the second. Cybercriminals do this by running an algorithm that tries every possible combination of passwords until it finds yours. The length and complexity of the attack do important in brute force attacks. Your password’s length and complexity will affect how long it takes for attackers to figure it out. 

A dictionary attack is the third tactic. This entails attackers trying to track your password by using a list of terms, such as each word in the English language. Although less sophisticated than a brute force attack, this illustrates the need to make passwords more complicated in order to prevent their compromise. 

As we can see, two of these techniques perform significantly worse when confronted with lengthy, intricate passwords. 

Considering this information, what would be the rationale behind opting for simpler passwords?

The issue is that few people utilise lengthy, intricate passwords. They are challenging to use and nearly impossible to recall, especially given that the typical person nowadays must maintain hundreds of accounts. “My experience is that the more complex the password, the more inclined you are to write it down somewhere,” identity expert Keiron Dalton told Expert Insights.”

As a result, many substitute small changes like capitalising a letter or changing the letter “I” to a “1” for passwords. Unfortunately, this actually reduces the security of passwords.  

Cybercriminals are aware that this is the most popular method for users to attempt to create a difficult password. Contrary to expectations, increasing the complexity of passwords actually makes them simpler to guess. 

The best practise is to employ a truly complicated string of unrelated letters, numbers, and symbols, however, most individuals can’t implement that. In order to boost password security, it may be better to use three random words or phrases together. 

Simply Pick Three Random Words. No Kidding.

Combine three random words to create a password that’s ‘long enough and strong enough’. 

blog entry from the NCSC on August 9 expands on an earlier one from nearly five years ago. “Three random words or #thinkrandom,” explaining how this train of thinking or “think random” aids in “keeping the bad guys out.”

Enforcing “complex requirements” for passwords is a subpar defence against password guessing attacks, claims the post. As a result, “minds have difficulty recalling random character strings,” and since we are all human, we rely on “predictable patterns” to satisfy the requirements. This is something that cybercriminals are very familiar with and employ in order to strengthen their assaults. According to Verizon, 81 percent of hacking-related data breaches are caused by leaked passwords. 

According to the NCSC publication, “contrary to intuition, the implementation of these requirements for complexity results in the generation of more predictable passwords.” Users default to variations of something that they already know and use when faced with creating an additional password with specific requirements, mistakenly believing that it is strong since it meets password strength criteria. 

The NCSC further warns that the “continued low uptake of password managers to store and generate passwords” is what causes this predictability. It has inspired businesses and individuals to use them in the past.

The NCSC blog post states that passwords made up of three random words “help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily.” This is advantageous for those who are hesitant to utilise password managers or are unaware of them. 

The length, impact, freshness, and usefulness of the three random word hypothesis, according to the NCSC, make it effective. 

The NCSC understands that this strategy may raise concerns for some people because of past behaviour patterns. However, it suggests that individuals use the “think random” strategy and adapt to improved search algorithms, weaker passwords, and poorer password recall. 

Yes, It’s Okay To Write Down Passwords – If Done Safely

Many people who work in the security sector advise against ever writing down or sharing their passwords, especially for important business accounts. Arguments can be made that this advise is incompatible with the recommendation that users use more complicated, obscure, and challenging passwords. 

There are some highly safe methods for keeping passwords both digitally and physically. For example, if you write out all of your passwords in a piece of paper and store it under your bed, a hacker is probably not going to get access to it. 

Of course, there are also more advanced, user-friendly approaches to managing passwords, such as browser-based password saving or a password manager specifically designed for the purpose, both of which we strongly advise. The majority of browsers, such as Chrome, or operating systems, such as iOS, allow users to store their passwords as well as create and recall highly secure complicated passwords that are significantly better than using three random words. 

This is not a scalable option for businesses. Administrators require a method for monitoring who may access which accounts and making sure that everybody is using a secure password. Additionally, passwords cannot be scribbled on Post-it notes and left all around the workplace, which is an all-too-common occurrence. It guarantees that a data leak will eventually happen. 

As do many password security experts, the NCSC also strongly advises using password managers. They make it feasible for everyone to use the strongest passwords, and they provide enterprises with the resources they need to establish safe password policies. Password managers haven’t exactly taken off, especially among end users. For this reason, enterprises without a password management system might still benefit from the NCSC’s recommendation to utilise three random words. 

How Can You Create A Secure Password?

The greatest method of protecting accounts from thieves is to use a password manager to make passwords more complicated and secure multi-factor authentication is used. However, with the lack of a password manager service, creating passwords with three random words can be a useful strategy to increase account security without adding unnecessary complexity or making them too difficult to remember. 

In order to ensure multi-layered account security, we advise firms to adopt a solid enterprise password management system and make sure multi-factor authentication is activated on all corporate accounts. 

While some experts anticipate that the future will be password-free, passwords will be around for many years to come. Make sure your future is a stable and secure one.

Our Accreditations

Our Reviews

Subscribe for Latest Cyber Security News & Tips