NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability. 

There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in brute force attacks.

Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean end users will set strong passwords.

The Problem with Password Complexity Requirements

The minimum requirements for password complexity are typically to have at least one lower- and upper-case letter, a number, and often a special character. Incorporating these elements makes passwords much harder to guess – in theory at least. In practice, individuals get around these requirements by setting passwords such as “Passw0rd!” or “Qwertyuiop1!” that meet complexity requirements but are still incredibly weak and extremely vulnerable to brute force attacks.

From a security perspective, all accounts should have a unique password which must never be used to protect multiple accounts. Passwords should ideally consist of random letters, numbers, and characters and be sufficiently long – 8 characters as an absolute minimum. The problem is that while these random complex passwords are strong and will be resistant to brute force attacks, they are also virtually impossible for most people to remember, especially considering the average person has around one hundred passwords.

The National Institute of Standards and Technology (NIST) highlighted this problem in its latest password guidance (SP 800-63B), and recommends the use of passphrases rather than passwords, as the length of a passphrase of, say 16 characters, adds the required complexity while being human-friendly.

Now, the National Cyber Security Centre (NCSC), part of the UK Government Communications Headquarters (GCHQ) has suggested a new approach for creating passwords that combines security with usability.

NCSC Password Recommendations are to Use Three Random Words

The solution proposed by NCSC is contrary to the arbitrary complexity password requirements often recommended. Complex passwords consisting of lower- and upper-case letters, numbers, and special characters that are often far from complex may give a false sense of security. The reason is the character combinations selected by end users are usually far from random. There are tricks that many people use to make passwords easy to remember and meet password complexity requirements, and those tricks are known to hackers. For example, replacing a 1 with an exclamation mark, an E with a 3, an S with a 5, or an O with a zero.

There are also combinations of letters and numbers that are more common than others, and those more common combinations are incorporated into hackers’ password algorithms. “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” explained NCSC in a recent blog post. “Security that’s not usable doesn’t work.”

The NCSC password recommendations add enough complexity while still making passwords easy to remember. They are to use three random words to make up a password. The use of three random words means passwords will be relatively long, sufficiently complex, but easy to remember.

The three random word approach to passwords works in several different ways:

  • Length – Passwords will generally be longer
  • Impact – The strategy is quick and easy to explain
  • Novelty – Encourages use of words not previously considered
  • Usability – It is easy to think of three words and remember them

“Traditional password advice telling us to remember multiple complex passwords is simply daft,” said NCSC’s technical director, Dr. Ian Levy. “By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”

The latter advice is important, as the strategy of using three random words does not work when unique passwords need to be created for 100 difficult online accounts. “Adopting three random words is not a panacea that solves the issue of remembering a lot of passwords in a single stroke, and we expect it to be used alongside secure storage,” said NCSC.

The aim of the latest NCSC password recommendations is not to solve the password problem completely, but simply to increase password diversity – that is, “reducing the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.”

The Best Password Strategy

The best password strategy based on the NCSC password recommendations is to create password of three random words, but also to use a password manager. A password manager such as Bitwarden allows users to generate truly random strings of numbers, letters, and characters that are incredibly complex, but importantly users never have to remember them. Those passwords are stored in encrypted form in a secure password vault and will be autofilled when a user needs them. There is never the need to remember passwords or type them in. These solutions are very secure and many operate under the zero-knowledge model, where even the password manager developer does not have access to users’ password vaults.

All that is required is for a user to set a secure, master password for their password vault and set up 2-factor authentication. The strategy of using three random words would work well for the master password that provides access to user’ vault of truly random, long complex passwords.

Password manager solutions are usually low cost or even free. For example, Bitwarden provides a secure, open-source password manager solution under a free tier with the individual premium package only costing $10 per year, yet even with the low cost of these solutions, uptake is still low.

If businesses and individuals make the change and start using a password manager and implement the latest NCSC password recommendations, password security and usability will be substantially improved.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.