Password Recommendations by NCSC

There are updates to UK’s NCSC password recommendation. This new strategy satisfies the password strength requirements and is still user-friendly.

There are several schools of thought with regards to making passwords, however, all are dependent on the assumption that passwords must be adequately complex to make sure they are not quickly guessed, not just by humans, but the algorithms employed by hackers during their brute force attacks.

Every year, there are lists published of the worst passwords that are put together from credentials compromised in data breaches. These listings clearly show that certain people are not very good at selecting passwords. For instance, “password,” “12345678,” and “qwertyuiop” are passwords that are often included in the lists. Because of the risk of users making weak passwords, a lot of companies currently have minimum prerequisites for password difficulty, however, that doesn’t always suggest that strong passwords shall be set.

The Issue with the Need for Password Complexity

Usually, the minimum specifications for password difficulty are to have a minimum of a number, one lower- and upper-case letter, and usually a special character. Including these elements results in harder to guess passwords – at least in theory. In reality, people bypass these requirements by using passwords like “Passw0rd!” or “Qwertyuiop1!” that satisfy complexity prerequisites although are still unbelievably weak and very prone to brute force attacks.

From a security viewpoint, all accounts must have a unique password that should never be employed for several accounts. Passwords must preferably be made up of random numbers, letters, and characters and be adequately long – at least 8 characters. The problem is that although these random difficult passwords are tough and will be resilient to brute force attacks, they are likewise virtually difficult for the majority of people to recall since the average individual has around 100 passwords.

The National Institute of Standards and Technology (NIST) showcased this problem in its most recent password guidance (SP 800-63B), and advises the usage of passphrases instead of passwords, since the length of a passphrase of, for example, 16 characters, provides the necessary difficulty while still user-friendly.

Currently, the National Cyber Security Centre (NCSC), part of the UK Government Communications Headquarters (GCHQ) has advised a new strategy for making passwords that bring together safety with functionality.

NCSC Password Advice

The NCSC’s proposed password is in contrast to the recommended arbitrary complexity password. Complex passwords containing numbers, lower- and upper-case letters, and special characters are usually not complex and offer a false sense of protection. This is because the character combinations chosen by end-users are typically not random. There are hints that a lot of people utilize so that passwords are easy to recall and satisfy password complexity specifications, and those hints are well-known to hackers. For instance, changing an E with a 3, a 1 with an exclamation mark, an O with a zero, or a 5 with an S.

There are also letters and numbers combinations that are more typical than others, and those more typical combinations are integrated into the password guessing tools of hackers. It’s counterintuitive that the observance of these complexity prerequisites leads to using more predictable passwords.

The NCSC password advice puts sufficient complexity and at the same time makes passwords quick to recall. The recommendation is to use 3 random words to create a password. Using 3 random words results in passwords that are reasonably long, adequately complex, yet quick to recall.

This three random word strategy of creating passwords is effective in a number of various ways:

  • Length – Passwords are typically lengthier
  • Novelty – Encourages using words that were not considered in the past
  • Impact – The technique is simple to describe
  • Usability – It is easy to come up with three words and keep them in mind

NCSC’s technical director Dr. Ian Levy explains that the traditional password advice to recall several complex passwords is just silly. By adopting this recommendation, people are less vulnerable to cybercriminals and people should create such passwords for their vital accounts, and consider using a password manager.

The last piece of advice is crucial, as the tactic of utilizing 3 random words doesn’t work if unique passwords must be made for 100 online accounts. Using 3 random words isn’t a panacea that resolves the problem of recalling many passwords in just one stroke and utilizing it together with secure storage.

The goal of the most recent NCSC password recommendations is not to fix the password issue totally, but just to improve password variety – which is, minimizing the number of passwords that are guessed by inexpensive and effective search algorithms, driving an attacker to perform several search algorithms (or utilize inefficient algorithms) to get a handy number of passwords.

The Most Effective Password Strategy

Based on the NCSC password recommendations, the most effective password strategy is to create a password made of 3 random words and to utilize a password manager. With a password manager, users can create absolutely random strings of letters, numbers, and characters that are extremely complex, yet users don’t need to remember them. The passwords are saved in encrypted form within a safe password vault and are going to be auto-filled whenever a user wants. It’s not necessary to remember or type the passwords. These tools are quite secure, and a lot of work under the zero-knowledge design, which means even the developer of the password manager doesn’t get access to the password vaults.

All that a user must do is to create a protected, master password for the password vault and establish 2-factor authentication. The technique of utilizing 3 random words will work nicely for the master password that gives access to user’s vault of really random, lengthy complex passwords.

There are low-cost or even free password managers. For instance, Bitwarden offers a safe, open-source password manager tool that is free. The individual premium package is only $10 a year. Despite the low cost, very few still use it.

If companies and people start to use a password manager and use the most recent NCSC password recommendations, there will be a substantial improvement in password security and usability.