Password Recommendations from NCSC

The UK’s NCSC password recommendations have been refreshed recently and a new strategy is being shared that improves usability while also adhering to password strength requirements.

There are many different schools of thought in relation to the creation of passwords, but all are based on the idea that passwords need to be complex enough so that they cannot be simply guessed, not only by humans, but also the algorithms used by hackers in brute force campaigns.

Every year lists of bad passwords are released that are gathered from credentials exposed in data breaches. These worst password lists clearly show that some individuals are not good at selecting passwords. As a result of the risk of end users creating these weak passwords, many groups now have minimum requirements for password complexity, but that does not automatically mean end users will create strong passwords.

The Issue with Password Complexity Requirements

The minimum requirements for password complexity are, in most cases, to include a minimum of one lower- and upper-case letter, a number, and in some cases a special character as well. Using these elements makes passwords much harder to infiltrate – in theory anyhow. In reality, individuals get around these requirements by creating passwords such as “Passw0rd!” or “Qwertyuiop1!” that meet complexity requirements but are still very weak and extremely susceptible to brute force campaigns.

From a security point of view, all accounts should have a unique password which must never be used to access multiple accounts. Passwords should ideally include random letters, numbers, and characters and be sufficiently long – 8 characters at the very least. The issue is that while these random complex passwords are strong and will stand up to brute force attacks, they are also virtually impossible for most individuals to remember, especially when you take into account that the average worker has around one hundred passwords created.

The National Institute of Standards and Technology (NIST) focused on this issue in its most recent password guidance (SP 800-63B), and recommends the implementation of passphrases instead of passwords, as the length of a passphrase of, say 16 characters, adds the required complexity while being user-friendly.

Now, the National Cyber Security Centre (NCSC), part of the UK Government Communications Headquarters (GCHQ) has come up with a new tactic for setting up passwords that combines security with usability.

Use Three Random Words: NCSC Password Recommendations

The solution suggested by NCSC is different to the arbitrary complexity password requirements often used by groups. Complex passwords including lower- and upper-case letters, numbers, and special characters that are often far from complex may provide a false sense of security. The reason is the character combinations chosen by end users are usually far from random. Many people used to make passwords simpler to remember, and compliant with password complexity requirements, by replacing a 1 with an exclamation mark, an E with a 3, an S with a 5, or an O with a zero. Hackers are well aware of these measures. 

The NCSC password recommendations include sufficient complexity while still making passwords simple to remember. They employ three random words to create a password. The use of three random words means passwords will be just long enough, and complex enough, while also being easy to remember.

The three random word approach to passwords works in many different ways:

  • Length – Passwords will generally be longer
  • Impact – The strategy is quick and easy to explain
  • Novelty – Encourages use of words not previously considered
  • Usability – It is easy to think of three words and remember them

NCSC’s technical director, Dr. Ian Levy said: “Traditional password advice telling us to remember multiple complex passwords is simply daft. By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”

The focus of the most recent NCSC password recommendations is not to solve the password problem completely, but to enhance increase password diversity – that is, “reducing the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.”



Author: Maria Perez