Bad passwords are easy to remember, but also easy to guess and that can give an attacker access to your online accounts. That’s why the UK’s National Cyber Security Centre (NCSC) recommends that users pick three random words for a password rather than meeting complex requirements, such as an alphanumeric string, that could permit the creation of bad passwords like “pa55word.” One of the main reasons is to address the fact that people are poor at memorizing long, complex passwords and password manager adoption remains very low. The three random words are beneficial because they produce longer passwords, it’s an easy-to-explain and understand password strategy, and it’s usable and practical. It also helps increase password diversity, which makes it harder for attackers to use search algorithms to discover passwords cheaply and then compromise accounts.
NCSC has called on organizations previously to ditch password-expiry policies because they encourage users to pick slight variations on existing passwords. Since then, many organizations such as Microsoft have dropped its recommendation for expiring passwords because the policy was obsolete and unhelpful. The three random words advice also roughly aligns with Google’s recommendations for protecting Google Accounts. NCSC gave critical advice that passwords must be memorized and to store them in a password manager, a browser, or on a piece of paper. While NCSC endorses the use of password managers and believes they also increase password diversity, it’s encouraging three random words until password manager adoption is universal.