A Guide to Passwords: Using the 3 Random Word System
These days almost all businesses are faced with a hybrid situation where their employees work partly from home and partly in the office. Combine this with an environment in which digital security is becoming harder and harder to defend and you have a recipe for disaster.
How can you make sure that your employees are taking the same level of care with their passwords when they are working from home as when they are in the office?
The Problem
It is common now for sites to enforce complexity requirements on users when they need to create a new password. The mistaken belief is that these requirements (the use of an uppercase letter, a digit, or a special character) forces the user to build a password that will fool the hackers. In reality, we can't remember random character strings, so we employ known patterns (such as replacing the letter "o" with a zero) to fulfil the 'complexity' standards.
Of course, attackers are aware of these methods and use them to their advantage. Surprisingly, enforcing these complexity standards yields more predictable passwords. Users revert to variations of something they already know and use, mistakenly thinking it is strong due to its compliance with password strength meters.
So, several years ago, the National Cyber Security Centre recommended the Three Random Word strategy as an alternative way to create passwords. And, in the current climate of decentralised work spaces, this strategy continues to stand head and shoulders above the alternatives.
The three random word password strategy is a great way to ensure that your employees are taking security seriously, no matter where they happen to be working. By using this method, employees generate passwords that are both easy to remember and hard for hackers to crack.
What is the three random word strategy?
The system of creating passwords from three words randomly selected from a list, such as: 'blueberry train crash' or 'elephant artist buffalo', has been adopted by many organisations after extensive testing by NCSC showed it generates more robust passwords than traditional methods.
Why is the three random word system so popular?
There are a number of reasons why the three word password strategy has become so popular. Firstly, it is much easier to remember than traditional passwords, which can often be quite complex and difficult to recall. Secondly, because the words are randomly selected, hackers find it extremely difficult to crack a password that has been created using this method.
Why does the NCSC prefer this system?
Simple and Self-Explanatory
The NCSC needed to be able to popularize a method across several media in a way that could be readily understood in most situations. The phrase "three random words" incorporates all the essential knowledge in the title and may be simply explained, even by non-computer experts.
It’s Usable
This could be one of the most important aspects to consider if you're thinking about implementing a password reset system. The main problem with enforcing complexity standards is that it's difficult for users to generate, remember, and input complex passwords correctly without much effort, which suggests they'll reuse them. Three random words' strength is in its usability, since unusable security simply doesn't work.
Long Passwords = More Security
Passwords consisting of many words will generally be longer than those constructed from a single word. The use of a 'passphrase' created by combining words for the purpose of meeting this requirement is an effective alternative to relying on regular patterns (such as adding ! at the end of a password).
Changing Perceptions
The typical password is a single word or name, with obvious changes in character. We shatter that myth by proposing numerous terms, forcing individuals to think outside the box and invent creative passwords.
What are the disadvantages of three random word passwords?
Although creating a password from three words is much easier than many other strategies and can be done very quickly, there are still some potential pitfalls for users.
Selecting Weak Words
All employees need to be instructed that the words they choose must be unique and not related to them in any way. For example, if a user chooses their child's name as one of the three random words, this password will be useless because it is too easy for hackers to guess; however, if they use 'Morkie', which has no association with them or anyone close to them, this password will be very secure.
Never Write Down Passwords
Users need to ensure that they don't write down their three random word passwords anywhere in order to avoid them falling into the wrong hands. Creating passwords based on three random words is not a magic bullet that can be used to remember a large number of passwords in one go, and your staff must be discouraged not to write these down. Our specialists would advocate using secure password storage solutions alongside this system.
Conclusion
Passwords generated by password managers will always offer the strongest protection, and we continue to recommend them as the gold standard for business use. However, given the low adoption of password managers in many organisations, the three random word strategy remains a practical and effective alternative.
If your teams are not yet using a password manager, implementing the three random word strategy is a valuable interim step. But like all security measures, it must be backed by good practice, user awareness, and organisational support.
For more advice on strengthening your organisation’s security posture, you might also find the following useful:
If you’re reviewing your organisation’s password policy or looking to improve security awareness across a hybrid workforce, contact Defended Solutions to discuss how we can help.
