Blog post

Three random words or #thinkrandom

Created:  27 Oct 2016
Updated:  27 Oct 2016
Author:  Ian M

You're probably aware that there’s a lot of guidance out there on what makes a good password — and it can be incredibly confusing. This blog post should help.

For home users we are working with Cyber Aware, advising that you create passwords using three random words. You just put them together, like 'coffeetrainfish' or ‘walltinshirt’.

You can choose words that are memorable but should avoid those which might be easy to guess, such as 'onetwothree' or are closely related to you personally, such as the names of family members or pets.

Ultimately, the choices you make regarding passwords are up to you. This blog post is intended to help inform you as you make password decisions and explain a little bit of the cyber security rationale behind our three random words guidance.

Attacking your account

There are some common ways that cyber-criminals might try to compromise your user accounts. Many of these relate to the passwords you use, so let's take a look at a few of them:

It's obvious. You should try to ensure that your password isn't easy to guess. We all know that passwords protect things that are valuable to us but that doesn't stop the most common passwords consistently including 'password', '123456', 'qwerty', 'football' and so on. Take a look at one of the many 'top 100' password lists to see what form the most common ones take.

Somebody else's bad. There are frequently stories in the media about cyber-criminals breaking large numbers of passwords from sites that have failed to protect them properly. If you are reusing the same password across multiple sites and cyber-criminals crack one site, they might try the recovered passwords on the other sites you use.

Keylogging. There is a type of malicious software that, once on your system, attempts to log the keystrokes you make — including passwords. Of course, this will compromise any password entered, no matter how complex. The best defence here is keeping your software current and up to date.

Smash the hash. When you choose a password, if the site is reasonably diligent it won't store that password in a form that can be read directly. It will have been processed by a clever maths function called ‘hashing’.

This function turns the readable password into what appears to be gobbledegook. This is the password hash and it is this that the website stores. The clever thing about hashing is that it's very hard to turn the hash back into the password. As a user, when you return to a website and enter your password, the hash is calculated and compared to the one already stored. If they match, you're in.

If a cyber-criminal somehow gets hold of the list of password hashes there are some attacks they can use to try to recover passwords. Firstly they might try a ‘dictionary attack’ — putting lists of known words (including common substitutions such as '1' instead if 'i') through the same function and see if they result in the same hash. If they do, you have the password.

This might sound like a lot of work but with modern computing it really only takes seconds. If this doesn't work the cyber-criminal could try to ‘brute force’ the hash. This means trying every possible combination of characters until the password is found. Long random passwords and the inclusion of special characters make this harder for a computer to work out.

Three random words

If stopping a cyber-criminal breaking your password relies on long and complex passwords, where does three random words come from? Well, super-long and complex passwords aren't necessarily the best option for a number of reasons:

It's not all maths. Maths is great, but not at the expense of the users. It is really, really hard for a user to remember lots of complex, unique passwords. What happens is that we come up with coping mechanisms which are well known to cyber-criminals, and which they can and do exploit in order to attack our accounts.

So, ironically, using long and complex passwords sometimes just plays right into attackers' hands. For example using ‘Pa55word!’ may follow the rules of a website, but is a bad password as it's quite guessable. Typically if a cyber-criminal has the hashes to attack they will break them whatever rules are put in place.

Salt with that? Actually, when a website processes your password it stirs in some other information as well, like your username. This is called salting. Combined with three random words, this provides a reasonable amount of protection from attack. 

How did they get the hash? I glossed over the cyber-criminals getting hold of the files containing all of the password hashes. If a website is well designed this should be really hard for a cyber-criminal to do. This is also why we recommend separate passwords for sites that are important to you (like your email) to things like web forums, that aren't. If one website doesn't look after the password hashes properly, that shouldn't allow easy access to the things that are important to you.

Hard to guess. Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability.

Ultimately it's your choice of course, but hopefully this blog post has helped to make your password choices a little bit more informed.

181 comments

Nicola - 19 Dec 2017
makes you think about how you share information. very difficult to read!! text should be easier to read and font size
Mabir - 22 Dec 2017
I found the blog really useful and will take on board some of the recommendations - thanks!
Barry Pike - 21 Dec 2017
The fact of remembering passwords for most people is difficult ,but your suggested method of three words is very good,
there is an even better way by using a rhyme of several words with a system called mnemonic.
Anyone using a computer should look up or search in google it makes very interesting reading/
m.chagger - 22 Dec 2017
very useful
J Quinn - 24 Dec 2017
Very informative with regards to making up passwords. Using common themes not always secure
J. G - 27 Dec 2017
very useful.
J garwell - 27 Dec 2017
very useful article.
AndyB - 29 Dec 2017
Very useful blog read for IT Managers everywhere.

It is important to note the one password all hackers are searching for, the database connection password. There is a lot of data floating in the cloud that's only protected by a single non hashed password, one often found hard coded in PHP scripts. MySQL, Mongo and AWS, no DB is safe from lazy coding practice. And then there is the whole minefield of easy to guess root passwords. In other words, your personal data is only as safe as someone elses weakest password.

If any of you guys are interested in password security, Google "John the Ripper" - it's the hacker's password cracking tool. Also, check out your new buzzphrase for 2018, "password guessing entropy".

hAppyNewY3ar2018
cha - 03 Jan 2018
useful information
Menaka Jayalath Yapa - 03 Jan 2018
this is good and i will consider the three words password...
Wendy Williams - 04 Jan 2018
VERY INFORMATIVE
Wendy Williams - 04 Jan 2018
This has mad me awear of useful forms of protecting my details
Ian Stuart - 08 Jan 2018
I really love the comments on this page. (A few lovely trolls in there)

For passwords: I use one English word, one Spanish word and a special character, with a Captial letter thrown in. Not in that order :^)
Maxine Hill - 08 Jan 2018
this information was very useful to me
nkechi - 18 Jan 2018
awesome
judyshaji - 22 Jan 2018
information helpful
jan murray - 24 Jan 2018
i found the information very intresting
Rachael Thomsen - 24 Jan 2018
Helpful information
Jacqueline Ward - 24 Jan 2018
ok
SAAI3181 - 25 Jan 2018
good experience
Gareth Owen - 26 Jan 2018
Interesting article, particularly when linked to another on this subject about using password managers and frequently expiring passwords.

An offer of sustainable and memorable password management:-

1. Don't use word combinations.
Instead, think more along the lines of passphrases but pick individual characters from each of the passphrase words. This helps reduce the length and pass some system password length restrictions.
2. Combine passphrases of different types
To balance memorability over complexity, think of a passphrases of personal significance, for example, a quotation, verse, song, line from your favourite movie.
3. Don't use substitution
It's really obvious that e=3, s=5, 0=o and so on
4. Use special characters
To help memorability, interject special characters and numbers at the start and end of each of the combined passphrase coding.
5. Capitalise certain characters
For letters representing special significance in a passphrase, choose to capitalise them - this way, they will be easier to remember.
6. This of your new passphrase as a 'key' .. not a passphrase or password.
7. Consider creating several 'keys'
The key that fits your gym locker should not start your Ferrari. It's not difficult to create and memorise a few different keys. I personally use around 6, each having relevance to a catagory of system - for example, don't use the same key for systems I have high confidence and trust in than I do for other lesser trusted systems - also factor in key types against value.
8. Change keys infrequently
Only my opinion, but if you do create a truly complex key, in the way outlined above, statistically, the likelihood of 'guessing' your original key is no less than guessing a new, equally complex key. In fact, the process of changing key's introduces new risks.
christine grace - 26 Jan 2018
very informative
Ionie Johnson - 29 Jan 2018
Informative
Pat Saunders - 31 Jan 2018
found reading very interesting - very different replies from lots of people which was good to read
matilda m-martey - 31 Jan 2018
good information
Shirley Adams - 01 Feb 2018
good information
christine grace - 01 Feb 2018
very informative and useful
pat evans - 02 Feb 2018
good practice/info.
Andrew Williams - 02 Feb 2018
It was helpful because there were things in the info I never knew before.
Caroline Mclaughlin - 06 Feb 2018
Usefull information
rita edwards - 06 Feb 2018
really helpfull imformation
Sharon Westwood - 07 Feb 2018
Great source of information
M.George - 07 Feb 2018
I got a good knowledge and all the informations are very important.I will try to follow and use it wherever necessary
sheela - 08 Feb 2018
Interesting and informative.
s spencer - 12 Feb 2018
I found the information was quite informative, base on what I have read will keep this page for future references on making password
M Mallinson - 12 Feb 2018
Very use full and informative information. Thank you.
Amanda Brown - 14 Feb 2018
I found the information very important and showed how easy mistakes can be made;will keep this page.
Amanda.wadsworth - 14 Feb 2018
Very useful information regarding making up passwords ect.
jerry ratna - 15 Feb 2018
very good anduseful
Michelle - 15 Feb 2018
Very interesting
ann cooke - 16 Feb 2018
Helpful,informative and useful knowledge relevant to my work
Anne Fraser - 16 Feb 2018
content a bit long winded for anyone not familiar with computers
Lyn Buckingham - 16 Feb 2018
Thanks for info-very useful. Will increase characters to 17 from now on
julie patterson - 17 Feb 2018
very usful
satish misal - 17 Feb 2018
its very helpful
Jerry Ratna - 17 Feb 2018
very good information
M. Karpel - 18 Feb 2018
Good information but prefer to use my own, memorable to myself only.
ann richardson - 19 Feb 2018
very useful thankyou.
Alison Jones - 19 Feb 2018
Very Useful Information.
charles asiedu - 19 Feb 2018
good tips on password generation

Was this blog post helpful?

We need your feedback to improve this content.

Yes No