Passwords – three random words can keep scammers out

11 Aug 2021

A recent blog by the National Cyber Security Centre (NCSC), promotes the idea that good password hygiene can be achieved using three random words: easy to remember but strong enough to keep online accounts secure from cyber criminals.

Protect your friends by sharing this article with them:

Fraud and cybercrime now account for over 50% of all crime in the UK.  IPS is constantly on the lookout for tips and tricks to help our members avoid being scammed by this onslaught, and the NCSC article reveals some convincing and sensible thinking to do just that.

How scammers guess passwords

We have written extensively about the trade in email addresses and passwords from the dark web, where a scammer may buy a list of 100,000 email addresses.  They would have to pay a lot more money to buy the accompanying passwords, so often choose to use their own ‘password-guessing-software’ to try and crack – for example – a bank account attached to that email address.  Scammers regularly piece together a jigsaw of your identity from social media feeds (where you show off your favourite holiday destinations, your adventures with Spot the dog and your love of Italian food).

All of that information is fed into the software to start guessing passwords.  Think about all the times you might have replaced the number ‘1’ with an exclamation make ‘!’, or the letter ‘O’ with the number ‘0’.  Password hacking software understands all these tricks.  This ubiquitous threat to your password security comes from intelligent software attacking with focused precision rather than teenagers in North Korea taking a random guess at the name of your goldfish.  You need to make it as difficult as possible for anyone to crack your password.

Some great (but very detailed) maths on this subject is covered in this article by The Conversation, but we picked out one incredible finding:

A computer can guess 100bn password variations per second. Does yours still feel safe?


The NCSC shares some useful password creation knowledge:

  • The average person struggles to remember many complex sets of characters. Faced with the need to create a new password we fall back to ones we have used before, maybe with one or two differences.  Across a population this becomes predictable behaviour for password guessing software.
  • Lots of historical advice has been to ‘never write it down, but remember it and burn after reading’.  A piece of paper in your house hidden away is only really at risk from a very ‘lucky’ burglar.  It can’t be guessed by a global network of digital criminals if it’s not on the internet.
  • For people with lots of passwords (and the average person now has over 70) there are many benefits to using your Google Chrome or Apple Safari or Microsoft Bing browser remember your password for you.  Password manager software provides even more piece of mind, and is a key feature (number 7 of the 9 benefits) in IPS 360 Protect

Why Three Random Words

A lot of brain power went in to the Three Random Words theory for people wanting password security but not willing to use a password manager to remember lots of complex number and letter combinations.

The major benefits are:

  • LENGTH: Longer passwords are better than short ones.  Three words that you can remember will generally be longer than one word with some $£% type trickery (that becomes predictable and therefore guessable).
  • IMPACT: Once you have heard the government cyber gurus recommend the Three Random Words approach, it becomes hard to forget. (This article revealed its key insight in the title).
  • NOVELTY: Historically, most passwords have used a single word as the stem for other characters to hang off. That’s what the computers spinning through 100bn guesses per second use to predict yours. They haven’t been trained on how to guess three words from your life that have stuck in your brain.
  • USABILITY: Where complicated passwords fall down is all the effort it takes to create, remember and type them back in.  Too much effort makes us lazy and makes us repeat predictably bad habits.   Three Random Words feels like less effort, so it is a winner on that front.  However, we don’t suggest you use the same words across all your accounts. Use the same approach but not the same words. If it gets too complicated have a look at using a Password Manager to carry the load for you.

IPS Summary

Passwords can be guessed by machines who understand that humans don’t cope well with remembering too much.  Once you know that fact we hope you will all be a little more careful.
  • Try Three Random Words as an approach.
  • Use your internet browser to help save your passwords.
  • Don’t visit your financial or health records using public Wi-Fi.
Consider using a password manager.  IPS offers the Norton Password Manager as part of 360 Protect with no contract.
Give it a try for a month.

Have your say

As an IPS member, you can leave us your thoughts, comments and experiences in the commments section below

Leave a Reply

You must be logged in to post a comment.