Security Awareness – Passwords and Predictability

There is no doubt that without a password manager, complex passwords are difficult to remember and lead to Perpetual Password Pitfalls. As such, the United Kingdom’s National Cyber Security Centre (NCSC) has been encouraging the practice of using three random words when creating passwords versus NIST’s standard guidance incorporating complexity requirements. In a recent post, NCSC shares its rationale that passwords using three random words are easier to remember and they help users create unique passwords which are harder to compromise. NCSC Technical Director Dr. Ian Levy says that this strategy “create[s] passwords which are both strong and easier to remember.” While also making users “much less vulnerable to cyber criminals.” And while NCSC’s rationale does address the continued low adoption of password managers to generate and store more secure passwords, that same lack of password manager usage still contributes to similar pitfalls when creating three random words as it does when creating complex passwords.

Ultimately, our human capacity to generate three stronger (and longer) random words is typically not sufficient enough and leads to potentially predictable strings that can still be trivially cracked by any miscreant through widely available dictionary attack tools. PenTestPartners (PTP) provided a good example, analysis, and methodology of how it’s not looking good for ”ThreeRandomWords” in Do Three Words Pass the Crack?, posted in the WaterISAC Resource Center in January. PTP even looked at how choosing three less commonly thought of words is still an issue. Sans password managers, there are much less desirable ways to create and manage passwords than three random words. However, perhaps a more secure approach could incorporate a subtle blending of the two methods – three (or four or five) random words and a little complexity. Regardless of the password approach you choose, add multifactor authentication to help overcome some of the inherent deficiencies in both methods.