Combining three random words together is more effective than using complex combinations for passwords, says the National Cyber Security Council (NCSC).
An NCSC blog post on Aug. 9 explains how this train of thought or “think random” helps “keep the bad guys out.” The post follows on from an earlier one almost five years ago, “Three random words or #thinkrandom”.
According to the post, enforcing “complex requirements” on passwords is a poor defense against guesswork attacks. This is because “the mind has difficulty memorizing random strings of characters,” and we as humans use “predictable patterns” to meet the required criteria.
Cyber hackers know this all too well and use it to make their attacks more effective. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches.
“Contrary to intuitiveness, the enforcement of these complexity requirements leads to the creation of predictable passwords,” says the NCSC article. “When faced with creating another password with specific requirements, users fall back on variations of something they already know and use and mistakenly believe that it is strong because it meets password strength meters (and is accepted by online services will).”
The NCSC also notes that the “continued low use of password managers to store and generate passwords” leads to this predictability. It has encouraged organizations and people to use them for a while.
“Passwords generated from three random words help users create unique passwords that are strong enough for many purposes and are much easier to remember,” explains the NCSC blog post. “This is also good for those who are unfamiliar with password managers or are reluctant to use them.”
The NCSC says the three random words theory is effective because of its length, impact, novelty, and ease of use.
For some, the NCSC estimates that this tactic may be cause for concern based on past behavior. However, it advises that people use the “think random” technique and react to the optimization of the search algorithm, weaker passwords and poor password recall.
“We recognize that some system owners may have concerns about using the three-random-word technique on others,” says the NCSC. “It may not be required for all organizations.
“However, if you’re not using ‘three random words’ for any of the following reasons, you should consider it.”
According to Nordpass ‘Top 200 most frequent passwords in 2020’, the top passwords are “123456”, “123456789” and “picture1”.