A Password Using Three Random Words Is Better Than A Complex One, Expert Said

A good password is the one that is easy to remember, but strong enough to keep accounts secure from cybercriminals. This is why creating a password may not be an easy task.

Some people use password generator to create a long and unreadable password that is hard for anyone to remember, including its owner. Some others rely on their own brain, by coming up with a word that consists of letters, numbers and also symbols.

These two practices can create some of the most uncrackable passwords, simply because long passwords can include a combination of everything possible and anything imaginable and not imaginable, which in turn should make it harder to crack.

But according to the National Cyber Security Centre (NCSC), part of Government Communications Headquarters, there is another way.

In a blog post, the UK agency highlights how a password consisting of three random words can be better than a password with more complex variations.

This is because sometimes, complex passwords can follow a pattern that can be guessed by criminals, and the software they build to detect them, while three-word passwords do not.

"The traditional password advice built around 'password complexity' failed because it told us to do things that most of us simply can't do (i.e. memorise lots of long, complex passwords)."

"Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily."

Because of this, people tend to create passwords that are long, and follow certain patterns, or use some predictable words or numbers.

The agency said that hackers that want to crack an account, would target predictable words and patterns, and spread their attempt from there.

Criminals can use tools to allow brute force attacks on accounts, and if the password follows a known pattern, the tool will crack the password soon, if not later.

“Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” the agency said.

This is why passwords that are constructed from three random words can retain the length of a properly strong password, but at the same time, make them a lot more difficult to predict, simply because they don't follow any known patterns.

Read: Tips In Creating A Strong Password That's Hard To Guess But Easy To Remember

Thee NCSC’s technical director, Dr Ian Levy, said that:

"Traditional password advice telling us to remember multiple complex passwords is simply daft."

"There are several good reasons why we decided on the three random words approach – not least because they create passwords which are both strong and easier to remember."

"By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager."

The blog post conceded that using three random words cannot be a 100% safe because people might still use predictable word combinations.

This is why people should always avoid using words that have obvious relevance to them, such as their children’s names or their birthday date, or other facts.

While weaknesses can still be present, using a three-word password is a major advantage in its usability "because security that’s not usable doesn’t work."

"Whilst not a password panacea, using 'three random words' is still better than enforcing arbitrary complexity requirements."

Further reading: Making The Most Out Of Your Strong Password For A Better Personal Cybersecurity