Whilst, not a password panacea, using 'three random words' is still better than enforcing arbitrary complexity requirements.
In this blog, we're going to:
explain why the NCSC continue to promote 'three random word' strategy (both at home and at work)
respond to some concerns raised by NCSC customers who may be considering this strategy
The problems of complexity requirements
We've covered, at length, how enforcing complexity requirements is a poor defence against guessing attacks. Our minds struggle to remember random character strings, so we use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria.
Of course, attackers are familiar with these strategies and use this knowledge to optimise their attacks. Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords. Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).
None of this is helped by:
Longstanding (and poor) advice that passwords have to be memorised, and storing them in any way (either in a password manager, a browser, or on a piece of paper) is risky.
The continued low uptake of password managers to both store and generate passwords (the NCSC has encouraged organisations and individuals to use password managers for some time now).
To be absolutely clear, there are a number of ways you can securely store your passwords, in a password manager, a browser, or on a piece of paper, so remembering them is no longer a problem*.
Why three random words? The traditional password advice built around 'password complexity' failed because it told us to do things that most of us simply can't do (i.e. memorise lots of long, complex passwords).
Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes and can be remembered much more easily. This is also good for those who aren't aware of password managers or are reluctant to use them. However, there are several other reasons why the NCSC chose the three random words strategy.
Length Passwords made from multiple words will generally be longer than passwords made from a single word. Length is a common (and recommended) requirement for passwords, and promoting the use of a 'passphrase' created by combining words provides a way to achieve this without relying on predictable patterns (such as the addition of ! at the end of a password).
Impact To have a meaningful impact, the NCSC needed to be able to promote a technique across different media, in a way that could be quickly understood in most contexts. 'Three random words' contains all the essential information in the title, and can be quickly explained, even to those who don't consider themselves computer experts.
Novelty The stereotypical password is a single dictionary word or name, with predictable character replacements. By recommending multiple words we immediately challenge that perception and encourage a range of passwords that have not previously been considered.
Usability The main issue with enforcing complexity requirements is that it's difficult for users to generate, remember, and enter complex passwords correctly without substantial effort, which further encourages the re-use of passwords. Three random words' power is in its usability because security that's not usable doesn't work.
Read more here