Three Random Words
Combine three random words to create a password that’s ‘long enough and strong enough’.
Weak passwords can be cracked in seconds. The longer and more unusual your password is, the harder it is for a cyber criminal to crack.
Why 3 Random Words?
A good way to make your password difficult to crack is by combining three random words to create a password (for example applenemobiro). Or you could use a password manager, which can create strong passwords for you (and remember them).
Avoid the most common passwords that criminals can easily guess (like ‘password’). You should also avoid creating passwords from significant dates ( birthday, or a loved one’s), or from your favourite sports team, or by using family and pet names. Most of these details can be found within your social media profile.
If you’re thinking of changing certain characters in your password (so swapping the letter ‘o’ with a zero, for example), you should know that cyber criminals know these tricks as well. So your password won’t be significantly stronger, but it will be harder for you to remember.
Why does the NCSC recommend using ‘three random words’?
By using a password that’s made up of three random words, you’re creating a password that will be ‘strong enough’ to keep the criminals out, but easy enough for you to remember.
Longstanding advice around making your passwords very complex (which suggests we should create passwords full of random characters, symbols and numbers) is not helpful. This is because most of us have lots of passwords, and memorising lots of complex passwords is almost impossible.
Passwords generated from three random words is a good way to create unique passwords that are ‘long enough’ and ‘strong enough’ for most purposes, but which can also be remembered much more easily. If you want to write your password down, that’s also OK, provided you keep it somewhere safe.
Why we recommend three random words
Passwords made from multiple words will generally be longer than passwords made from a single word. Length is a common (and recommended) requirement for passwords, and promoting the use of a ‘passphrase’ created by combining words provides a way to achieve this without relying on predictable patterns (such as the addition of ! at the end of a password).
To have a meaningful impact, the NCSC needed to be able to promote a technique across different media, in a way that could be quickly understood in most contexts. ‘Three random words’ contains all the essential information in the title, and can be quickly explained, even to those who don’t consider themselves computer experts.
The stereotypical password is a single dictionary word or name, with predictable character replacements. By recommending multiple words we immediately challenge that perception, and encourage a range of passwords that have not previously been considered.
The main issue with enforcing complexity requirements is that it’s difficult for users to generate, remember, and enter complex passwords correctly without substantial effort, which further encourages the re-use of passwords. Three random words’ power is in its usability, because security that’s not usable doesn’t work.