020 3633 3182

Call Us for IT & Cyber Security Advice

0 %
Response times

We guarantee to get back to you within 30 seconds 99% of the time.

0 +

100+ Customers have experienced the benefits of our IT Support.

0 %
Specialist support

95% of our customers would recommend us as a specialist.

0 %
Response times

100% of our calls are answered by specialist engineers.

“3 Random Words” Strategy

For many years, the accepted security advice has been that using multi-factor authentication and long, complicated passwords with plenty of symbols and digits is the gold standard for password protection. Attacks on accounts that have been compromised have grown by 20% in the previous year, and this is thought to be the greatest strategy to lessen them.

However, the NCSC reinforced its recommendation in a recent blog post that using a combination of three random words is a far more efficient method to secure account access than using an extremely complex password. This essay will dissect the NCSC’s recommendations, outline the drawbacks of using excessively complicated passwords, and discuss the best practises for managing password complexity in the workplace. 


Why is it Not Advisable to Use Complex Passwords?

Using a simpler password could seem counterproductive. That would undoubtedly be less secure. Perhaps not, then. Even if more complicated passwords are more difficult to crack, the majority of individuals don’t choose passwords that are safe enough for this to be a consideration. 

Let’s step back a moment. Cybercriminals primarily employ three sorts of assaults to try and acquire credentials. Social engineering is first. Cybercriminals are attempting to use phony login pages or other tricks to get your password from you. No matter how safe your password is, they’ll have it if this assault succeeds. Multi-factor authentication is crucial in this situation. 

Attacks using brute force are the second. Cybercriminals do this by running an algorithm that tries every possible combination of passwords until it finds yours. The length and complexity of the attack do important in brute force attacks. Your password’s length and complexity will affect how long it takes for attackers to figure it out. 

A dictionary attack is the third tactic. This entails attackers trying to track your password by using a list of terms, such as each word in the English language. Although less sophisticated than a brute force attack, this illustrates the need to make passwords more complicated in order to prevent their compromise. 

As we can see, two of these techniques perform significantly worse when confronted with lengthy, intricate passwords. 


Considering this information, what would be the rationale behind opting for simpler passwords?

The issue is that few people utilise lengthy, intricate passwords. They are challenging to use and nearly impossible to recall, especially given that the typical person nowadays must maintain hundreds of accounts. “My experience is that the more complex the password, the more inclined you are to write it down somewhere,” identity expert Keiron Dalton told Expert Insights.”

As a result, many substitute small changes like capitalising a letter or changing the letter “I” to a “1” for passwords. Unfortunately, this actually reduces the security of passwords.  

Cybercriminals are aware that this is the most popular method for users to attempt to create a difficult password. Contrary to expectations, increasing the complexity of passwords actually makes them simpler to guess. 

The best practise is to employ a truly complicated string of unrelated letters, numbers, and symbols, however, most individuals can’t implement that. In order to boost password security, it may be better to use three random words or phrases together. 


Simply Pick Three Random Words. No Kidding.

Combine three random words to create a password that’s ‘long enough and strong enough’. 

A blog entry from the NCSC on August 9 expands on an earlier one from nearly five years ago. “Three random words or #thinkrandom,” explaining how this train of thinking or “think random” aids in “keeping the bad guys out.”

Enforcing “complex requirements” for passwords is a subpar defence against password guessing attacks, claims the post. As a result, “minds have difficulty recalling random character strings,” and since we are all human, we rely on “predictable patterns” to satisfy the requirements. This is something that cybercriminals are very familiar with and employ in order to strengthen their assaults. According to Verizon, 81 percent of hacking-related data breaches are caused by leaked passwords. 

According to the NCSC publication, “contrary to intuition, the implementation of these requirements for complexity results in the generation of more predictable passwords.” Users default to variations of something that they already know and use when faced with creating an additional password with specific requirements, mistakenly believing that it is strong since it meets password strength criteria. 

The NCSC further warns that the “continued low uptake of password managers to store and generate passwords” is what causes this predictability. It has inspired businesses and individuals to use them in the past.

The NCSC blog post states that passwords made up of three random words “help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily.” This is advantageous for those who are hesitant to utilise password managers or are unaware of them. 

The length, impact, freshness, and usefulness of the three random word hypothesis, according to the NCSC, make it effective. 

The NCSC understands that this strategy may raise concerns for some people because of past behaviour patterns. However, it suggests that individuals use the “think random” strategy and adapt to improved search algorithms, weaker passwords, and poorer password recall. 


Yes, It’s Okay To Write Down Passwords – If Done Safely

Many people who work in the security sector advise against ever writing down or sharing their passwords, especially for important business accounts. Arguments can be made that this advise is incompatible with the recommendation that users use more complicated, obscure, and challenging passwords. 

There are some highly safe methods for keeping passwords both digitally and physically. For example, if you write out all of your passwords in a piece of paper and store it under your bed, a hacker is probably not going to get access to it. 

Of course, there are also more advanced, user-friendly approaches to managing passwords, such as browser-based password saving or a password manager specifically designed for the purpose, both of which we strongly advise. The majority of browsers, such as Chrome, or operating systems, such as iOS, allow users to store their passwords as well as create and recall highly secure complicated passwords that are significantly better than using three random words. 

This is not a scalable option for businesses. Administrators require a method for monitoring who may access which accounts and making sure that everybody is using a secure password. Additionally, passwords cannot be scribbled on Post-it notes and left all around the workplace, which is an all-too-common occurrence. It guarantees that a data leak will eventually happen. 

As do many password security experts, the NCSC also strongly advises using password managers. They make it feasible for everyone to use the strongest passwords, and they provide enterprises with the resources they need to establish safe password policies. Password managers haven’t exactly taken off, especially among end users. For this reason, enterprises without a password management system might still benefit from the NCSC’s recommendation to utilise three random words. 


How Can You Create A Secure Password?

The greatest method of protecting accounts from thieves is to use a password manager to make passwords more complicated and secure multi-factor authentication is used. However, with the lack of a password manager service, creating passwords with three random words can be a useful strategy to increase account security without adding unnecessary complexity or making them too difficult to remember. 

In order to ensure multi-layered account security, we advise firms to adopt a solid enterprise password management system and make sure multi-factor authentication is activated on all corporate accounts. 

While some experts anticipate that the future will be password-free, passwords will be around for many years to come. Make sure your future is a stable and secure one.



Weekly Blogs For A Quick Informative Read!

Our Partners

Clients Testimonials

We take pride in our service and maintaining strong relationships with our customers.

Being partnered with WPC is a joy. Their level of service and turnaround is exceptional. As is every member of the support team that I am in contact with. Savvy support and great to work with!


Stephen Sawley, Director

I have worked with this company for over 4 years and can safely say that the customer service is second to none. The staff go above and beyond to assist with clients and suppliers and are always very friendly and responsive. I would highly recommend Workplace to anyone looking for a quality IT partner.

Elliot Azim, Director

We have been using Workplace Connect for around 2 years now, and have found them to be a great company to work with. The change over from our last provider was seamless, and we have enjoyed an uninterrupted service since then. They are always available to assist with any enquiries, and deal with all matters promptly. I wouldn't hesitate to recommend them to other businesses.

Mark G, Director

Your Partners in Professional Excellence

Round-the-Clock Assistance:

Our commitment to your success knows no bounds. Experience unwavering support with our 24/7 service, ready to serve you anytime, any day.

Strategic Locations for Strategic Partnerships:

Basingstoke: Never Despair Studios, Unit 2, Alton Road, Hook, RG29 1RT

London: 86-90 Paul Street, London, EC2A 4NE

Dedicated Expertise for Specialised Sectors:

Speak to a Specialist

If you have any queries or would like to learn more about how we can support your business, contact us today.


Get Our Free Guide

Get our free guide today to learn the key threats you should be looking out for when using your device and working online.

This free guide includes:

If you would like further advice and support then contact us today!

Latest Resources

Use our latest resources to learn more and keep updated on news regarding cyber security and IT.