Using three random words is safer than using complex passwords, NCSC says

If you can't use a password manager, three random words make a strong password that's easy to remember

The UK's National Cyber Security Centre (NCSC) is advising the public to use three random yet memorable words to create passwords, instead of using passwords containing a series of random characters.

The 'three random words or #thinkrandom' is one of the NCSC's most popular pages on its website, even five years after its first publication. The agency revisited the idea in a recent post, concluding that it was still a good practice to choose three-word passwords, in place of complicated variations.

According to the NCSC, passwords created using three random words are usually longer and difficult to be predicted by hacking algorithms. Another advantage of using three-word passwords is that people can easily remember them and store them in a secure location, such as a password manager.

By contrast, more complicated passwords can often be guessed by using specialist software. The agency said cybercriminals target predictable strategies that are meant to make passwords more complex - like replacing the number one with an exclamation mark or substituting letter 'O' with a zero. Hackers are aware of such patterns and include them into their hacking software, negating any desired security from such passwords.

Three-word passwords can be easily modified as per different websites' requirements, as opposed to using random strings of letters, numbers and symbols.

The NCSC, however, acknowledges that using three random words to create passwords is not 100 per cent safe system, and algorithms can still be trained to crack it. Sometimes people could use predictable combinations of words that are easy to guess. More words will make a stronger password, but one that is harder to remember.

As a preferred option, the NCSC advises people and organisations to use password managers to generate unique strong passwords, but notes that uptake of these is still low.

The advice from the NCSC comes amid a dramatic rise in cybercrime during the pandemic.

In 2019, a survey of more than 1,000 British consumers by GMX showed that two-thirds of British internet users reused their passwords across their most important online accounts.

Only one-fifth of the survey respondents said they used a different password for each account they have had, while more than two-fifths admitted that they found the sheer number of different passwords required for managing various online accounts "overwhelming". And nine per cent had never changed their email account password - often using 'front door' as password for many online accounts.

Commenting on the NCSC's blog, Adam Philpott, EMEA president at McAfee Enterprise said: "With each new service comes a new password, or at least it should. However, the reality is that many of us are guilty of re-using the same passwords across multiple accounts.

"Businesses should use the advice provided by the NCSC as standard and make sure it's embedded into general best practices. Failing to understand the importance of password security will provide cybercriminals with unlimited opportunities, especially as we continue to shift to a hybrid working model."