One of the National Cyber Security Centre’s (NCSC) most visited pages is their advice on using three random words when creating a password.
They have written a new blog explaining why they stand by the advice originally published five years ago and responding to concerns people have about following it.
Unfortunately, certain requirements asked of us when creating passwords can have the unintended consequence of making them less secure. The NCSC argue that “three random words” is a sensible, easy to grasp principle that is practical to use. It results in passwords complex enough to protect and easier to think up, remember and type in.
Whilst not a panacea it is reasonably usable and secure. Particularly, the NCSC argue, since security is not helped by “the continued low uptake of password managers to both store and generate passwords (the NCSC has encouraged organisations and individuals to use password managers for some time)”.
NCSC recommends using “three random words” alongside secure password storage solutions. After all, how are you going to remember the long, complex, secure password to access your password manager? A part of their argument is that three random words are better protection than most of us currently use.
However, there are security consultants who have argued for a long time that “three random words” is a very bad idea. This is because given the speed of software dedicated to breaking passwords the example password NCSC provide is cracked “in about 4 hours”. But it's possible to use different password structures that are considerably harder to crack.
So, if you are responsible for security in a business, what are you going to do about passwords? Are you looking to be better or to follow best practices?
Well, the one thing most people agree on is to use a password manager. Pick a good one. Allow it to do all the hard work generating, storing and retrieving strong, long and random passwords.
To help you reach your own conclusions, here is the NCSC article and here is a security specialist’s concern about their advice. If you are responsible for password behaviour and implementing a password manager in an organisation you may also find this useful.
Thanks for the Image by jclovis3 from Pixabay