Amidst a push for passwordless authentication, a 2016 document from the UK’s National Cyber Security Centre (NCSC) advising people to use three random words as passwords, instead of creating complex strings, has stirred up quite a storm, compelling the organization to further explain their guidance.
The NCSC argues that asking users to create a complex string of counter-intuitive passwords based on a set of rules, in fact helps malicious actors brute force them being aware of the rules and existing password patterns.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Here’s our list of the best business password managers
- These are the best identity management services
- We’ve also rounded up the best security keys
“Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. This is also good for those who aren't aware of password managers, or are reluctant to use them,” suggests Kate R, People Team Lead, Sociotechnical Security Group, NCSC.
Responding to criticism
NCSC’s suggestion for the use of three random words has been panned by several quarters.
Responding to the criticism though, NCSC addresses all concerns in its new blog post. It first suggests that while it is true that there are algorithms for brute forcing three random words, they can’t be used as easily as algorithms for brute forcing rule-based passwords.
It also believes that it isn’t just its suggestion that can create weak passwords, and that rule-based passwords can be just as weak.
To overrule this concern, the NCSC suggests mandating “a minimum length requirement combined with the application of password deny lists.”
Adam Philpott, EMEA President, McAfee Enterprise has come in support of the NCSC’s suggestion saying that businesses must implement their advice.
“Failing to understand the importance of password security will provide cybercriminals with unlimited opportunities, especially as we continue to shift to a hybrid working model," adds Philpott.
However, while the NCSC suggests the use of three random words result in far sturdier passwords than rule-based unintuitive strings, it acknowledges that the strategy will only really be effective when “used alongside secure storage.”
- Protect your devices with these best antivirus software