Although everyone knows their passwords should be strong and safe in order to protect their personal data, very often people choose to ignore this and opt for weaker passwords that are more susceptible to hacks.
Three random words, also known as #thinkrandom, is an initiative from the NCSC to educate the general public on how to choose secure passwords that are still easy to remember. The initiative was introduced to undo years of security advice that told people to combine different character types when creating passwords. Research has since found that character complexity requirements failed to achieve what it set out to do – make passwords harder to crack. Its failure can be blamed on people following the same character composition patterns (i.e. capital letter to start, number at the end, replacing the letter s with $, etc).
2. Easy to guess passwords
The three random words initiative is designed to address billions of weak passwords that are easy to guess. This means that even without sophisticated password cracking techniques, hackers can come up with likely passwords to try on different accounts, either in a credential stuffing attack or in a targeted attack against an individual. Easy-to-guess passwords with multiple character types include: Liverpool#1, Pa$$
3. Falls short to brute force
Critics of the #thinkrandom advice often bring up the time needed to break a password hash in a brute-force attack. When comparing two 14-character long passwords, one with three random words and one randomly generated using multiple character types, the multiple-character type password will take longer to crack in a brute force attack. This article explains the math to back up the criticism and recommends a Password Manager as a solution to needing to remember so many randomly-generated passwords.
Proponents of the advice believe in providing tips that the general public can follow, in order to improve the security of passwords. While critics of the advice can point out the most sophisticated randomly-generated passwords and show how these are more secure, both are right, but they represent extremes of the password security spectrum. Is there a middle ground that uses easy-to-follow advice and combines this with another layer of protection?
4. Make three random words more secure
One way to improve the security of the three random words advice is to combine it with a password deny list of known compromised passwords. A compromised password deny list is designed to prevent a password dictionary attack, where a hacker uses a password list from a previous data breach to gain access to an account. The breached password deny list improves the security of the three random words passwords by blocking passwords that have appeared on previous data breaches. This way people can choose passwords that they can remember, and are also not published online for hackers to use.
Will this make it harder for people to choose three random words passwords? No, if people follow the advice and choose words at random, it will not be difficult to find passwords that do not appear on the compromised passwords list.
5. Make your password long enough
When it comes to making strong passwords, the single most important factor is the length of the password. As long as a password isn’t easily guessable by other means (e.g. use of common words, username, repeating characters) length is your best friend for mitigating brute force attacks.
*Specops Breached Password Protection works together with Specops Password Policy so that companies can block all passwords found on the list of over two billion compromised passwords, making it easy to comply with industry regulations, such as NIST or Cyber Essentials. The service blocks people from choosing banned passwords and informs the user as to why they cannot use the password.
As Christmas edges closer, decorations are out in full force and the holiday spirit is growing. But, how caught up do people really get? Specopssoft.com analyzed 800 million passwords from Specops Software’s Breached Password Protection* database in order to reveal the most leaked Christmas-related passwords that are currently being unsafely used by millions of people.