Skip to main content

The UK government thinks it has a bright idea about how to strengthen your passwords

Cybersecurity
(Image credit: Shutterstock / song_about_summer)

Amidst a push for passwordless authentication, a 2016 document from the UK’s National Cyber Security Centre (NCSC) advising people to use three random words as passwords, instead of creating complex strings, has stirred up quite a storm, compelling the organization to further explain their guidance.

The NCSC argues that asking users to create a complex string of counter-intuitive passwords based on a set of rules, in fact helps malicious actors brute force them being aware of the rules and existing password patterns.

It further suggests that since it is laborious to create complex passwords, the practice encourages the habit of password reuse

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. This is also good for those who aren't aware of password managers, or are reluctant to use them,” suggests Kate R, People Team Lead, Sociotechnical Security Group, NCSC. 

Responding to criticism

NCSC’s suggestion for the use of three random words has been panned by several quarters.

Responding to the criticism though, NCSC addresses all concerns in its new blog post. It first suggests that while it is true that there are algorithms for brute forcing three random words, they can’t be used as easily as algorithms for brute forcing rule-based passwords.

It also believes that it isn’t just its suggestion that can create weak passwords, and that rule-based passwords can be just as weak.

To overrule this concern, the NCSC suggests mandating “a minimum length requirement combined with the application of password deny lists.”

Adam Philpott, EMEA President, McAfee Enterprise has come in support of the NCSC’s suggestion saying that businesses must implement their advice. 

“Failing to understand the importance of password security will provide cybercriminals with unlimited opportunities, especially as we continue to shift to a hybrid working model," adds Philpott.

However, while the NCSC suggests the use of three random words result in far sturdier passwords than rule-based unintuitive strings, it acknowledges that the strategy will only really be effective when “used alongside secure storage.” 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.