A good password is the one that is easy to remember, but strong enough to keep accounts secure from cybercriminals. This is why creating a password may not be an easy task.
Some people use password generator to create a long and unreadable password that is hard for anyone to remember, including its owner. Some others rely on their own brain, by coming up with a word that consists of letters, numbers and also symbols.
These two practices can create some of the most uncrackable passwords, simply because long passwords can include a combination of everything possible and anything imaginable and not imaginable, which in turn should make it harder to crack.
But according to the National Cyber Security Centre (NCSC), part of Government Communications Headquarters, there is another way.
In a blog post, the UK agency highlights how a password consisting of three random words can be better than a password with more complex variations.
This is because sometimes, complex passwords can follow a pattern that can be guessed by criminals, and the software they build to detect them, while three-word passwords do not.
"Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily."
Because of this, people tend to create passwords that are long, and follow certain patterns, or use some predictable words or numbers.
The agency said that hackers that want to crack an account, would target predictable words and patterns, and spread their attempt from there.
Criminals can use tools to allow brute force attacks on accounts, and if the password follows a known pattern, the tool will crack the password soon, if not later.
“Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” the agency said.
This is why passwords that are constructed from three random words can retain the length of a properly strong password, but at the same time, make them a lot more difficult to predict, simply because they don't follow any known patterns.
Thee NCSC’s technical director, Dr Ian Levy, said that:
"There are several good reasons why we decided on the three random words approach – not least because they create passwords which are both strong and easier to remember."
"By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager."
The blog post conceded that using three random words cannot be a 100% safe because people might still use predictable word combinations.
This is why people should always avoid using words that have obvious relevance to them, such as their children’s names or their birthday date, or other facts.
While weaknesses can still be present, using a three-word password is a major advantage in its usability "because security that’s not usable doesn’t work."