The UK government thinks it has a bright idea about how to strengthen your passwords

News
By published

Complex passwords encourage re-usage, argues NCSC

Cybersecurity
(Image credit: Shutterstock / song_about_summer)

Amidst a push for passwordless authentication, a 2016 document from the UK’s National Cyber Security Centre (NCSC) advising people to use three random words as passwords, instead of creating complex strings, has stirred up quite a storm, compelling the organization to further explain their guidance.

The NCSC argues that asking users to create a complex string of counter-intuitive passwords based on a set of rules, in fact helps malicious actors brute force them being aware of the rules and existing password patterns.

It further suggests that since it is laborious to create complex passwords, the practice encourages the habit of password reuse

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. This is also good for those who aren't aware of password managers, or are reluctant to use them,” suggests Kate R, People Team Lead, Sociotechnical Security Group, NCSC. 

Responding to criticism

NCSC’s suggestion for the use of three random words has been panned by several quarters.

Responding to the criticism though, NCSC addresses all concerns in its new blog post. It first suggests that while it is true that there are algorithms for brute forcing three random words, they can’t be used as easily as algorithms for brute forcing rule-based passwords.

It also believes that it isn’t just its suggestion that can create weak passwords, and that rule-based passwords can be just as weak.

To overrule this concern, the NCSC suggests mandating “a minimum length requirement combined with the application of password deny lists.”

Adam Philpott, EMEA President, McAfee Enterprise has come in support of the NCSC’s suggestion saying that businesses must implement their advice. 

“Failing to understand the importance of password security will provide cybercriminals with unlimited opportunities, especially as we continue to shift to a hybrid working model," adds Philpott.

However, while the NCSC suggests the use of three random words result in far sturdier passwords than rule-based unintuitive strings, it acknowledges that the strategy will only really be effective when “used alongside secure storage.” 

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
password manager
I'm a security expert - here are my biggest tips for creating a secure password for work and home life to stay safe online
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
Young woman working at a coffee shop with a laptop
Too many passwords, not enough brain space? Here’s how password managers can improve your life
Person using finger print authentication
Passwords out, passkeys in: The future of secure authentication
Hands typing on a keyboard surrounded by security icons
Best password generator of 2025
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Latest in Security
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Latest in News
Seth Milchick and Kier Eagan&#039;s animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
Spotify&#039;s new Concerts Near You playlist feature showing a list of songs by local touring artists
Spotify has launched a new Concerts Near You playlist, making it easier for you to see if your favorite artists are performing in your area
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
The new Dr. Squatch Call of Duty collection.
Latest Call of Duty collaboration finally lets you rub your body with Soap - and I can't believe I just wrote that
Samsung S95D with peacock feather on screen
Samsung says an OLED-beating new screen tech could come sooner than we thought – but I wouldn't expect it in 4K TVs right away
Nanoleaf PC Screen Mirror Lightstrip set up on gaming PC
This Nanoleaf light strip adds Ambilight-style illumination to your gaming setup – and it's amazingly cheap
More about security
An image of network security icons for a network encircling a digital blue earth.

US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol

Veeam urges users to patch security issues which could allow backup hacks
EDMONTON, CANADA - FEBRUARY 10: A woman uses a cell phone displaying the Open AI logo, with the same logo visible on a computer screen in the background, on February 10, 2025, in Edmonton, Canada

The surprising reason ChatGPT and other AI tools make things up – and why it’s not just a glitch
See more latest
Most Popular
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
A person working on a laptop outside.
HP's new built-in eSIM lets you stay connected to the internet, even without Wi-Fi
A pair of Lenovo Legion Go S models on a desk
Finally, the more powerful Lenovo Legion Go S model has a release date - but the price is a gut punch
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
SluTune Q1 Bluetooth speaker
I love this super-slim, sleep-friendly Bluetooth speaker – but the name's a nightmare
Samsung S95D with peacock feather on screen
Samsung says an OLED-beating new screen tech could come sooner than we thought – but I wouldn't expect it in 4K TVs right away
Google AI
A powerful new AI tool is coming to Chromebooks to vastly increase productivity
A close up of Gemma Scout in Severance&#039;s season 2 finale
'They only told me': Severance actor Dichen Lachman reveals how long she's known about Cold Harbor's true purpose in the Apple TV+ show
Seth Milchick and Kier Eagan&#039;s animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
Spotify&#039;s new Concerts Near You playlist feature showing a list of songs by local touring artists
Spotify has launched a new Concerts Near You playlist, making it easier for you to see if your favorite artists are performing in your area