How to make three random words secure

When the National Cyber Security Centre (NCSC) started promoting three random words as passwords, the general public had practical advice that was easy to follow. While it is extremely valuable to provide sound advice for choosing passwords, the perceived level of security provided by three random words has been hotly debated. As is often the case with cyber security, the debate is centered on balancing security and usability. Three random words can be a secure method for setting passwords, if used together with a password deny list of known leaked passwords.

#thinkrandom

Three random words, also known as #thinkrandom, is an initiative from the NCSC to educate the general public on how to choose secure passwords that are still easy to remember. The initiative was introduced to undo years of security advice that told people to combine different character types when creating passwords. Research has since found that character complexity requirements failed to achieve what it set out to do – make passwords harder to crack. Its failure can be blamed on people following the same character composition patterns (i.e. capital letter to start, number at the end, replacing the letter s with $, etc).  

Easy to guess passwords

The three random words initiative is designed to address billions of weak passwords that are easy to guess. This means that even without sophisticated password cracking techniques, hackers can come up with likely passwords to try on different accounts, either in a credential stuffing attack or in a targeted attack against an individual. Easy-to-guess passwords with multiple character types include:

Liverpool#1

Pa$$word7

Spring2020!

Examples of three random words passwords provided by the NCSC include:

coffeetrainfish

walltinshirt

Falls short to brute force

Critics of the #thinkrandom advice often bring up the time needed to break a password hash in a brute-force attack. When comparing two 14-character long passwords, one with three random words and one randomly generated using multiple character types, the multiple-character type password will take longer to crack in a brute force attack. This article explains the math to back up the criticism and recommends a Password Manager as a solution to needing to remember so many randomly-generated passwords.

Proponents of the advice believe in providing tips that the general public can follow, in order to improve the security of passwords. While critics of the advice can point out the most sophisticated randomly-generated passwords and show how these are more secure. Both are right, but they represent extremes of the password security spectrum. Is there a middle ground that uses easy-to-follow advice and combines this with another layer of protection?

Make three random words more secure

One way to improve the security of the three random words advice is to combine it with a password deny list of known compromised passwords. A compromised password deny list is designed to prevent a password dictionary attack, where a hacker uses a password list from a previous data breach to gain access to an account. The breached password deny list improves the security of the three random words passwords by blocking passwords that have appeared on previous data breaches. This way people can choose passwords that they can remember, and are also not published online for hackers to use.

Will this make it harder for people to choose three random words passwords? No, if people follow the advice and choose words at random, it will not be difficult to find passwords that do not appear on the compromised passwords list.