Although it is not a panacea for passwords, it is better to use ‘three random words’ than to impose arbitrary complexity requirements.
Nearly five years after its initial publication, #thinkrandom is still one of the most visited pages on the NCSC site. It explains how you can combine three random words to create a password that is ‘random enough to keep bad guys out’ but easy enough to remember.
This blog will:
Explain why the NCSC continues to encourage the ‘three random words’ strategy at work and home.
Respond to the concerns of NCSC customers considering this strategy
We have already discussed how the enforcement of complexity requirements is an ineffective defense against guessing attacks. Because our minds are unable to recall random characters strings, we resort to predictable patterns such as replacing the letter “o” with a zero to satisfy the ‘complexity requirements.
These strategies are well-known by attackers who use them to optimize their attacks. Contrary to what you might think, this enforced complexity requirement results in more predictable passwords. Users are faced with the task of creating yet another password that meets specific requirements. They resort to using variations of what they know and use. This false belief leads them to believe it is strong as it meets password strength meters (and it is accepted by online services).
This is not the way to do it.
It has been a long-standing and poor advice that passwords must be remembered. Keeping them in any form (either in a browser, in a password manager or on a piece paper) is dangerous.
Low adoption of password managers to store and generate passwords continues to be a problem. The NCSC has encouraged individuals and organisations to use password mangers for some time.
It is important to be clear that there are many ways to securely store your passwords. You can use a password manager, a web browser or a piece paper. This makes it easy to remember them.
What are three random words? This is:
Traditional password advice based around “password complexity” failed because it advised us to do things most people simply cannot do (i.e. You should memorize a lot of complex, long passwords.
Users can create unique passwords from three random words. They are strong enough to be used for multiple purposes and easy to remember. This is a great option for people who don’t know about password managers or are hesitant to use them. There are many reasons the NCSC used the three random words strategy.
Multiple words are more secure than single words passwords. It is common and recommended that passwords be long. To achieve this, it is best to encourage the creation of a “passphrase” by combing words. at the end of a password.
2) The Impact
The NCSC had to be able promote a technique across multiple media in a way that was easily understood in all contexts in order to have an impact. “Three random word” contains all of the information needed to be called the title. It can be easily explained even for those not computer experts.
A password that is stereotypically a single word or name in dictionaries, with predictable character substitutions, is the default. We challenge this perception by recommending multiple words and encourage people to consider other password options.
Complexity requirements can be difficult to enforce. This encourages users to re-use passwords. The power of three random words is in their usability. Security that isn’t usable doesn’t work.
Response to concerns
We understand that system owners might be concerned about using the three random word technique over other users. This may not be required in all organizations. Some will have good password strategies and others won’t mind switching to something new.
If you don’t use ‘three random word’ for any of these reasons, you might consider adopting it.
1. “There are search algorithms that optimise for three random words”:
However, there are search algorithms that can be used to find complex passwords (the most popular type of password in use today). Many attempts have been made to determine which algorithm would be faster at detecting complex passwords that are human-generated or three random words. The ‘winner” depends on assumptions about people’s behavior. It doesn’t really matter.
You must know which algorithm you should use to gain the most benefit from any optimised algorithm. Given a large database, where people use different methods to generate passwords, any optimised algorithm will be less effective. This means that attackers will need to try multiple algorithms in real life. It is more difficult and takes longer than just trying one.
People often compare “three random words” passwords to the “random passwords created automatically by password managers”. These passwords are stronger than either “three random words” or “human-generated complex passwords”. This isn’t a good comparison, however, because there is still very little use for password managers. We hope that more people will use password managers, which will increase the variety of passwords.
Many passwords are simple enough to meet complexity requirements. Although ‘Pa55word! may meet the requirements for complex passwords, it is not a good password because it can be easily guess. Unique complex passwords, which are generated using three random words, would be prohibited. Complexity requirements are a blunt instrument. To help target weak passwords, NCSC recommends a minimum length requirement and the use of password deny list.
3. “People will have trouble remembering passwords that are made up of three random words for multiple accounts”
We’ve already discussed that to create complex passwords, we use coping methods (which are well-known to cybercriminals). It is not possible to remember all the passwords at once by using three random words. We expect this method to be used in conjunction with secure storage.
Towards ‘password diversity’:
We need to make it more difficult for attackers by increasing the variety of passwords used. This is done by reducing the number passwords that can be discovered using efficient and cheap search algorithms. An attacker will have to use multiple search algorithms (or inefficient algorithms) to retrieve a sufficient number of passwords.
Complexity requirements are currently actively working against password variety (for all of the reasons above). This has resulted in a convergence of strategies and a decrease in password diversity. We need to encourage people using other password construction strategies, such as “three random words”, which use length instead of character sets to increase their diversity. This encourages people to use passwords that they don’t know, which increases the diversity of the ecosystem.
We hope that, in the interim, greater efforts by the technology sector will be made to reduce our dependence on passwords over the long-term before convergence becomes a problem with three random words.