Blog post

Three random words or #thinkrandom

Created:  27 Oct 2016
Updated:  27 Oct 2016
Author:  Ian M

You're probably aware that there’s a lot of guidance out there on what makes a good password — and it can be incredibly confusing. This blog post should help.

For home users we are working with Cyber Aware, advising that you create passwords using three random words. You just put them together, like 'coffeetrainfish' or ‘walltinshirt’.

You can choose words that are memorable but should avoid those which might be easy to guess, such as 'onetwothree' or are closely related to you personally, such as the names of family members or pets.

Ultimately, the choices you make regarding passwords are up to you. This blog post is intended to help inform you as you make password decisions and explain a little bit of the cyber security rationale behind our three random words guidance.

Attacking your account

There are some common ways that cyber-criminals might try to compromise your user accounts. Many of these relate to the passwords you use, so let's take a look at a few of them:

It's obvious. You should try to ensure that your password isn't easy to guess. We all know that passwords protect things that are valuable to us but that doesn't stop the most common passwords consistently including 'password', '123456', 'qwerty', 'football' and so on. Take a look at one of the many 'top 100' password lists to see what form the most common ones take.

Somebody else's bad. There are frequently stories in the media about cyber-criminals breaking large numbers of passwords from sites that have failed to protect them properly. If you are reusing the same password across multiple sites and cyber-criminals crack one site, they might try the recovered passwords on the other sites you use.

Keylogging. There is a type of malicious software that, once on your system, attempts to log the keystrokes you make — including passwords. Of course, this will compromise any password entered, no matter how complex. The best defence here is keeping your software current and up to date.

Smash the hash. When you choose a password, if the site is reasonably diligent it won't store that password in a form that can be read directly. It will have been processed by a clever maths function called ‘hashing’.

This function turns the readable password into what appears to be gobbledegook. This is the password hash and it is this that the website stores. The clever thing about hashing is that it's very hard to turn the hash back into the password. As a user, when you return to a website and enter your password, the hash is calculated and compared to the one already stored. If they match, you're in.

If a cyber-criminal somehow gets hold of the list of password hashes there are some attacks they can use to try to recover passwords. Firstly they might try a ‘dictionary attack’ — putting lists of known words (including common substitutions such as '1' instead if 'i') through the same function and see if they result in the same hash. If they do, you have the password.

This might sound like a lot of work but with modern computing it really only takes seconds. If this doesn't work the cyber-criminal could try to ‘brute force’ the hash. This means trying every possible combination of characters until the password is found. Long random passwords and the inclusion of special characters make this harder for a computer to work out.

Three random words

If stopping a cyber-criminal breaking your password relies on long and complex passwords, where does three random words come from? Well, super-long and complex passwords aren't necessarily the best option for a number of reasons:

It's not all maths. Maths is great, but not at the expense of the users. It is really, really hard for a user to remember lots of complex, unique passwords. What happens is that we come up with coping mechanisms which are well known to cyber-criminals, and which they can and do exploit in order to attack our accounts.

So, ironically, using long and complex passwords sometimes just plays right into attackers' hands. For example using ‘Pa55word!’ may follow the rules of a website, but is a bad password as it's quite guessable. Typically if a cyber-criminal has the hashes to attack they will break them whatever rules are put in place.

Salt with that? Actually, when a website processes your password it stirs in some other information as well, like your username. This is called salting. Combined with three random words, this provides a reasonable amount of protection from attack. 

How did they get the hash? I glossed over the cyber-criminals getting hold of the files containing all of the password hashes. If a website is well designed this should be really hard for a cyber-criminal to do. This is also why we recommend separate passwords for sites that are important to you (like your email) to things like web forums, that aren't. If one website doesn't look after the password hashes properly, that shouldn't allow easy access to the things that are important to you.

Hard to guess. Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability.

Ultimately it's your choice of course, but hopefully this blog post has helped to make your password choices a little bit more informed.

156 comments

Paul Moore - 08 Nov 2016
A username is not cryptographically random, thus should not be used as a salt.
S Smith - 04 Jan 2017
I like the three random word idea and will try it. Is the pass phrase out of fashion? Using the initial letters of a phrase you make up, then adding/inserting some numbers. Its quite easy to remember but very hard to guess.
IFH - 14 Feb 2017
I believe that most brute force password cracking programs stop at 16 characters, because of the incrementally longer time it takes to try all possible combinations of ASCII codes, so a 17 character password is effectively uncrackable! The main drawback of long passwords is that sites generally ask for only a small subset of the password e.g. 3rd, 5th, 18th, so you then find users have to write down the password to be able to determine which is the eighteenth character, compromising the security in lots of ways!
Jim - 24 Jan 2018
Thanks for this info. I currently use three random 5 character words with a single number (0-9) giving me 16 characters. I will simply add another character to get my 17 character password. Many thanks.
Gary - 20 Mar 2018
That's a reasonable approach but be aware of the risk that if your base password is cracked in a website breach (poorly stored by then) then it is simple to add numbers on the end. If you use unique pw per site that is mitigated or at least per category of site.
Peter Young - 15 Feb 2017
Thanks for this. I have never heard it before. I still think the big problem is all those online sellers who force you to make a password just to buy their stuff. It so annoys me, more especially that there are a few online retailers who will let you shop as a guest which proves that most of our passwords are unnecessary. I would like to see the ncsc take steps to end the forced password culture. I am much more likely to shop again from someone who lets me shop as a guest.
Ian F - 21 Mar 2017
I think that XKCD needs an obligatory reference.

(As an aside - please dont pick CorrectHorseBatteryStaple as your password....)
Angie Bob - 01 Jun 2017
This advice is way out of date.

Password crackers try combinations of common words (and numbers and symbols), so this method will hack this sort of password in a few minutes. You don't even need to understand entropy to realize that.

This ArsTechnica article (from way back in 2013!) talks about how passwords such as "gonefishing1125" are discovered from salted hashes. The tried the combinations of 111 million dictionary words in 14 hours. arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

The only advice worth having is to use truly random passwords of 10+ characters. Use password manager software to remember them. And set up "2 factor authentication" to double lock your high value targets - your email and bank log-ins.
Ian M - 08 Jun 2017
It’s highly unlikely users will be able to craft high entropy passwords, so 3 random words doesn’t try to do so. We recommend a separate password for high value accounts like your email and enabling 2 factor or hardware authentication. Password managers do indeed have a role to play. Take a look at https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers
R H - 10 Sep 2017
High entropy passwords for the layman.

"IHateDrivingToWorkOnMondaysBecauseOfTheAwfulTrafficByTheAirBalloon"

Or

"IThinkImFallingInLoveWithTheCoffeeBaristaAtStarbucksTheDoubleShotCaramelLatteIGetReallySetsMeUpForTheDay"

Problem is websites go and do... "Please enter a password between 8 and 10 characters".
Giles Bradley - 08 Sep 2017
You recommend passwords of 10+ characters when there are only 62 different characters. On the other hand there are many thousands of different words .. which is better?
Ian M - 08 Sep 2017
Thanks for your comment Giles. The best password is one that works for the user whilst being reasonably secure and not trivially guessable. We support 3 random words as being a reasonable compromise between these aspects.
S. Tomlinson - 27 Mar 2018
Yes, no. You are thinking only of one case of characters. Start mixing in upper and lower case, and you increase the difficulty of cracking the password monumentally. "Password" is not "password".

When I have to do OS reinstalls for my clients, I always add capitalization to the password they supply to me before I will let it out of my hands.
Kevin Potter - 13 Feb 2018
Which is why you use random words. Big Red Frog! 21 - 16 characters with upper, lower and special characters has high entropy, is not easily guessable and is easily remembered
Kath Cunliffe - 23 Jun 2017
This is absolutely dreadful. The font you have used is virtually unreadable! If you really want to help people use a font that is clear and large enough to read!
Georgina James - 10 Aug 2017
the three random word idea is useful and I will be using the idea
susan whittingham - 12 Aug 2017
good idea never would of used this
Eric kwarteng - 19 Aug 2017
Very useful ideas
Andrew Findlay - 05 Sep 2017
Random words are a good idea if they are truly random. People are bad at that, but dice are very good. Search for 'diceware' and ideally buy 5 dice to keep on the desk! Three words chosen by throwing 5 dice for each gives 6^15 different possibilities - that is about 470 billion different passwords. Not enough to defeat a hash-cracker, but very good against a guess-at-the-login-prompt attack.
simon cooper - 14 Sep 2017
good thinking
pj - 22 Sep 2017
this is good and i will consider the three words password.
Rosemariebeth Selia - 23 Sep 2017
usefull
Stephen Humphreys - 04 Oct 2017
good idea
stephen throrogood - 04 Oct 2017
thanks found this information useful
Andrew P - 04 Oct 2017
Good luck finding a website that accepts 3 words. They all require different combinations of numbers and symbols, so you're gonna have to remember the variation for every site you log-into.
Reg McGee - 04 Oct 2017
The average person has about 200 online accounts. You're suggesting (apart from your bank and email) all have the same weak-ish password. There are so many breaches every year, I estimate that your password hash will be stolen about once a year on average. These are widely distributed amongst hackers who are quick to do password stuffing. You could easily have 100 of your accounts hacked overnight once a year. You criticize password managers for having their eggs in one basket, yet your recommended solution has the same issue and is regularly hacked.
Laureta - 11 Oct 2017
It is very useful
d reed - 13 Oct 2017
useful ideas
laura - 23 Oct 2017
Useful
Rich - 24 Oct 2017
I capitalise a specific word in the sequence and have punctuation and a number in there too which makes it work for more sites. Also to vary the password per site just switch one of the words - which works for sites that force you to frequently change PW too.

Non dictionary words are best, and no one said you can't use four words all from different languages...!
vilash.jadeja - 26 Oct 2017
Thank you found this information very useful
Aamir Ayub - 26 Oct 2017
excellent and useful information on passwords and data security. More such information needs to be available to the health workers on regular basis. We change our passwords more frequently at our work place
donna - 26 Oct 2017
Thank you i found this very useful
Duk - 27 Oct 2017
Reassured that common ways of deriving passwords and potential for them being broken are mentioned. An education
lynda taylor - 31 Oct 2017
thank you found it informative
Albert Hurwood - 03 Nov 2017
If I want to submit an article on passwords how can I do this?
Mark Hayward - 08 Nov 2017
So if I take the example: "coffeetrainfish" it that was to fit most sites regimes then I would add and subtract something like the following: c0ff33tR@1nf1sh which I believe would defeat the dictionary type attack meet the stringent requirements, if the 17 character combination was required then adding further characters at the beginning, end or both would be even better providing again that the end user remembers a) the three words b) the exchange of characters ?
Zia Ullah - 16 Nov 2017
good long read
Star Brown - 19 Nov 2017
Very good
Jill - 21 Nov 2017
Interesting article
Timothy Dutton - 22 Nov 2017
While this looks good in principle. Let's look at some facts. When asked to choose three random words, people will still choose words that have some meaning to them. Also if everyone starts using this advice, then the hackers will shift tactics to match.

In fact it will make the hackers job easier. Instead of having to brute force based on a random password, they will brute force with combinations of random words. Which means fewer guesses.

Furthermore, if the total length of the words exceeds the maximum password length, then they can eliminate that combination,meaning less time to crack the password.

So using "three random words" can in fact significantly reduce the amount if time it takes to guess a password.
Alison Lafferty - 23 Nov 2017
Very Useful
Lu - 23 Nov 2017
interesting
Janice Smith - 05 Dec 2017
Found this very interesting as I always struggle with passwords.
Gerezgiher Kesete Tsegay - 08 Dec 2017
I found that guidance is extremely useful information and helps to recognise and identify some possible hacking or cyber attack. Thus, now, I am able to know the techniques that criminals use frequently how to attack data and pieces of information, emails and other valuable details.
Antonio Joaquim - 10 Dec 2017
Very interesting
Malcolm Keating - 12 Dec 2017
Just reading these comments make me think - most people "over-think" advice. These are guidelines not instructions! Do what works best for you, taking into account the advice and comments. Generally; people are their own worst enemies. They should spend less time thinking about Password and more time thinking about the amount of personal data they give away voluntarily, every day on social media, website cookies and smartphone location data. Don't be Paranoid, be careful. Here's a thought: "will what I am about to do/say on my Computer or smart device make me vulnerable or help someone to identify me?"
Alan Pollard - 27 Feb 2018
Malcolm Keating. I like your comment. May I have your permission to copy this to post to my FaceBook friends?
Alan Pollard - 02 Mar 2018
Malcolm,
Have not had a reply from you so I am taking the liberty of posting this on my Facebook account as I think it is a good bit of advice. I will credit you as the author.
Zainab Addo - 18 Dec 2017
The information provided has been very useful.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No