Creating A Secure Password: Should You Use Three Random Words?
New advice suggests that use of three random words is better than using complex variations of passwords
By Joel WittsUpdated Nov 24, 2022
How should you you create a secure password?
For many years, the prevailing security advice has been that the use of long, complex passwords with lots of symbols and numbers is the password gold standard, alongside the use of multi-factor authentication. This is considered the best way to help reduce account compromise attacks, which have increased by 20% in the last year.
In a recent blog post however, the NCSC reiterated their advice that instead of crafting a highly complex password, a much more effective way to secure account access is to use a combination three random words instead. In this article, we’ll breakdown the NCSC’s advice, explain the problems with using overly complex passwords, and go over the best ways for businesses to manage password complexity.
What’s Wrong With Using Complex Passwords?
In a recent article, we discussed how organizations can create a secure password policy. Here, we also advise using a passphrase, rather than trying to create an overly complex password that is likely to be forgotten.
It may seem counterintuitive to use a more basic password. Surely that would be less secure? Well, perhaps not. While more complex passwords are harder to crack, most people don’t use passwords that are secure enough for this to be a factor.
Let’s take a step back. There are three main types of attacks cybercriminals use to try and gain access to passwords. The first is social engineering. This involves cybercriminals trying to trick you into giving them your password with fake login pages or scams. If this attack is successful, no matter how secure your password is, they’ve got it. This is where multi-factor authentication is most important.
The second is brute force attacks. This involves cybercriminals running an algorithm, which guesses every single password combination possible, until it hits yours. When it comes to brute force attacks, length and complexity does matter. The longer and more complicated your password is, the longer it will take attackers to crack the password in question. There is a useful tool here, which you can use to see how long it will take a cybercriminal to crack some of your passwords.
The third is a dictionary attack. This involves attackers using a list of words, such as every word in the English language, to try and track your password. This is less advanced than a brute force attack, but again means that it’s sensible to add complexity to passwords to avoid them being compromised.
As we can see, two of these attacks are much less effective against long, complex passwords. So, with this being the case, why would we want to make passwords simpler?
Well, the problem is, most people don’t use long, complex passwords. They’re difficult to use and impossible to remember, especially when the average person today has hundreds of accounts to manage. As identity expert Keiron Dalton told Expert Insights: “My experience is that the more complicated the password, the more likely you are to write it down somewhere!”
So, instead, people use slight variations on passwords, like using a capital letter, or swapping out the letter ‘I’ for a one. But unfortunately, this actually makes passwords less secure.
Cybercriminals know this is the most common way for people to try and make their password complex. Perversely, adding a small amount of complexity to passwords is making them even easier to crack.
So, while the gold standard is to use a truly complex string of random letters, numbers and symbols, the reality is for most people that’s simply not workable. And so, using three random words or phrases together could be the best way for people to increase password security.
The Problems With Three Random Words
Of course, using three random words isn’t perfect either. There are some cybercriminal algorithms which are starting to look at three random words, meaning they too may become less secure over time, as cybercriminals optimize hacking tools for this strategy.
People may also use three very easy to guess random words, which yes, would be very quick for cybercriminals to crack, especially if they were related to the account, or shared the user’s name. The words must truly be random, and not easy for anyone to guess.
Using three random words may also be difficult for users to remember, encouraging them to write the passwords down, or share them with friends. However, it’s not always a bad idea to write passwords down, especially if they’re stored in a secure place.
Yes, It’s Okay To Write Down Passwords – If Done Securely
There’s a lot of advice in the security industry that people shouldn’t ever write down or share passwords, especially for secure business accounts. However, that advice arguably isn’t compatible with telling people that passwords have to be more complex, less easy to guess and more difficult to remember.
There are some very secure ways of storing passwords, both digitally and in the real world. If you write down all of your passwords in a notebook, and keep that under your bed, for example, it’s probably not going to be hacked by a cybercriminal.
Of course, there are also more modern, user-friendly ways for people to manage passwords, such as browser-based password storing, or a dedicated password manager, the use of which we highly recommend. Most browsers like Chrome, or operating systems like iOS, will store passwords for users, and generate and remember highly secure complex passwords which are much better than the use of three random words.
For businesses too, this isn’t a scalable solution. Admins need a way to ensure that everyone is using a secure password, with reporting over who can access which accounts. Passwords also cannot be written down on post-it notes and scattered around the office, which all too commonly occurs. It’s a sure-fire way for a data breach to occur eventually.
Therefore, for businesses, we recommend the use of an enterprise password management solution. These services allow users to generate secure passwords automatically, storing them in a highly secure encrypted password vault. Passwords are easily accessible, and admins get all the visibility they need into secure passwords, without being able to see passwords themselves. They also allow users to securely and easily share passwords.
The NCSC also highly recommends the use of password managers, as do many password security experts. They help to ensure everyone can use the most secure passwords possible and give businesses the tools they need to create secure password policies. However, uptake of password managers has been slow, especially among end-users. For this reason, the NCSC’s advice to use three random words is still useful for organizations who do not have a password management solution in place.
How To Create A Secure Password?
Increasing the complexity of passwords via a password manager, alongside implementing secure multi-factor authentication, is the best way of securing accounts against cybercriminals. But, in the absence of a password manager solution, using three random words can be an effective way of improving account security, without adding superficial complexity or making passwords too difficult to remember.
Joel Witts is the Content Director at Expert Insights, meaning he oversees articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel has conducted interviews with hundreds of industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.