NCSC Recommends Against Arbitrary Password Complexity Requirements

The UK National Cyber Security Centre (NCSC) has made new recommendations for password creation that are intended to ensure passwords meet requirements for complexity while also making them easy for users to remember. While the latest password guidance may reduce password complexity compared to the standard password advice of creating passwords consisting of a random selection of characters, the former approach hasn´t been wholly successful in preventing account compromises.

Password Complexity Rules Don’t Solve the Weak Password Problem

The standard password best practice is to create and enforce a password policy that requires the use of at least one upper- and lower-case letter, a number, and a special character. Most online platforms and apps now require these elements for passwords and passwords conforming to those requirements are, in theory at least, more resistant to the brute force tactics of hackers. But there are problems with this approach.

First, it is difficult for humans to create truly random strings of characters. There are biases and certain character combinations are more likely than others. These biases are factored into hackers’ password guessing algorithms. Complex passwords are also difficult to remember. That means passwords are often written down or tactics are employed to meet the requirements for complexity that in reality reduce password complexity. It is common for numbers to be used to replace letters. 1, 3, 5, and 0 are often used to replace an l, e, s, and o, for example. “P455w0rd!” meets the standard complexity requirements but it is also exceptionally weak. This tactic is well known to hackers, who incorporate replacement characters in their brute force algorithms.

A Different Approach to Arbitrary Password Complexity Rules

The result of applying standard password complexity requirements is the creation of passwords susceptible to brute force attacks. “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” explained NCSC. “Security that’s not usable doesn’t work.”

NCSC explained in its latest guidance on passwords that a different approach should be adopted that combines security with usability. Rather than force users to follow standard password complexity requirements, it would be far better to adopt its recommended approach of creating passwords using three random words.

Using dictionary words for passwords is not a good tactic, as hackers often conduct dictionary-based attacks to guess passwords; however, by combining three dictionary words (or nondictionary words for that matter), it is possible to achieve a good level of password complexity that makes it difficult for brute force algorithms to work, while also solving the problem of complex passwords being too difficult to remember.

NCSC explained the three random word approach has multiple benefits:

  • Length – Passwords will usually be longer than the minimum 8 characters
  • Impact – The password strategy is easy to explain
  • Novelty – Users are encouraged to use words they would not normally consider
  • Usability – It is easy for end users to think of three words and remember them

The Three Random Word Approach is Not a Password Panacea

This approach is not without its issues of course, and the advice has received some criticism from security experts. “Whilst not a password panacea, using ‘three random words’ is still better than enforcing arbitrary complexity requirements,” explained NCSC. “Complexity requirements alone is a blunt instrument; to provide a more targeted removal of weak passwords, the NCSC recommend a minimum length requirement combined with the application of password deny lists,” in addition to the three random word approach.

One of the main criticisms of the three random word approach to password creation is it does not solve the issue of creating unique passwords for all accounts. If one password is used on multiple accounts, if that password is compromised in a data breach, all accounts that use that password can be accessed. Since the average user has 100 passwords, it would not be possible to memorize 100 unique passwords of three random words, no matter how much easier that approach makes it to remember passwords.

Password Managers Should be Used and NCSC Recommendations Implemented

NCSC recommends individuals and businesses should adopt a password manager solution. Password managers securely store passwords in an encrypted vault so even if a breach occurs, passwords are not exposed. Many password managers, Bitwarden for example, also operate under the zero-knowledge model, which means even the password manager provider cannot access passwords in users’ vaults.

With a password manager, a user is only required to set and remember one password – the master password that gives them access to their vault. The three random word approach can be employed for the master password, while the random password generator of the password manager can be used to create unique, complex passwords for each account.

“Some people compare ‘three random words’ passwords with the ‘random passwords created by password managers’. The latter are stronger than either ‘three random words’ or ‘human-generated complex passwords’. However, this is not currently a useful comparison to make, as there is still a very low uptake of password managers. We hope more people will adopt password managers and this will also increase the diversity of passwords.”

Diversity is the key here. NCSC is not trying to make it impossible for passwords to be guessed, as that is not practical. The key is to improve password diversity, as that will “[reduce] the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of