Three random words are better than more complex passwords – GCHQ

Government experts say that it is much better to fabricate a password consisting of three random words than to use more complex variants that contain a stream of letters, numbers, and symbols.

The National Cyber ​​Security Center (NCSC), which is part of the Government Communications Headquarters (GCHQ), emphasized its “three random words” proposal in a new blog post.

It stated that a key reason for using the system is that the password it creates is easy to remember, but due to its unusual letter combination, it is sufficient to protect online accounts from cybercriminals.

In contrast, more complex passwords may be invalid because they are more likely to be used by criminals and the software they build to detect them, the suggestion said.

The agency stated that the goal of cybercriminals is to make passwords more complex and predictable—such as replacing the letter o with a zero, or replacing the number 1 with an exclamation point.

Criminals allow such patterns to be used in their hacking software, thereby denying any required additional security that such passwords provide.

The agency stated: “Contrary to intuition, implementing these complex requirements will result in the creation of more predictable passwords.”

In contrast, passwords composed of three random words tend to be longer and more difficult to predict, and use letter combinations that are more difficult to detect by hacker algorithms.

The blog post acknowledged that the three random word method is not 100% safe because people may use predictable word combinations, but stated that one of the main advantages of the system is its usability “because unavailable security does not work.”

According to data from the National Bureau of Statistics, when the guidelines were published, cybercrime surged during the pandemic, and online fraud increased by 70% last year.