Daveyisajournalist
andconsultant
specialisinginprivacy
andsecurityissues
@happygeekDAVEYWINDER
“Skipthethreewordsthing,go
straightforthe‘useapassword
manager,dammit’jugular”
Don’t.Do.That...warnsDavey,whooffersmuchbeeradviceforasecure
passwordstrategythanthethree-random-wordrule
“Mostpeople,
mostofthe
time,choose
threewords
thatarefar
fromrandom”T
hismonth I’mgoingto so do
somethingthatI’msurewon’t
shockregularreaders:pickan
argumentwiththepowersthatbe.
Thegovernmentorganisationin
questionistheNational Cyber
SecurityCentre(NCSC), which,byand
large,doesa splendidjob in both
publicandprivatesectorsinmatters
ofsecurityadvice andsupport.By
andlarge,butnotononeoccasion
recentlywhenitdecidedthetimewas
righttoremindusofsomepassword
constructionadviceit first offered
fiveyearsago.Itwaswrong thenand
remainssotothisday.
Usingtheperfectlyreasonable
hashtagof#thinkrandom,thatadvice
wastousethreerandomwordsas
yourpassword. That’sthreewords,
notfour,soyoucanforget aboutthe
XKCDcomicsuggestion (xkcd.com/
936 ) of “correct,horse,battery,
staple”thathaswedgeditselfinto
cybersecurityfolklore. Notthatyou
shoulduseitanyway,aspassword
reuseis obviouslyverbotenifyou
wanttomaintainanysemblanceofa
strongsecurity posture.
ThelatestNCSCposting,while
admittingthattheuseofthree
randomwordsis“nota password
panacea”, servesto presshomethe
messagethatit’sbetter thanusing
traditional passwordcomplexity
advicebecausethelatterreliesupon
usmemorisinglotsoflongand
complexstrings.Threerandom
words,weareadvisedforusebothat
homeandwork,createpasswords
thatare“strongenoughformany
purposes”andhelpgetaroundthe
reuseproblemthatitsaystraditional
complexpasswordscreate.
Let’sdealwiththelastofthese
first:passwordreuse.
Thereisabsolutelynodifference
betweentryingtoremember 97
unique,complexandrandom
passwordstringsanddoingsowith 9 7
three-random-wordpassphrases.You
willfailunless youarea memory
savant.Thatisa fact.It’sa fact
becauseashumanswearesimplynot
wiredtorememberrandomthings.
Whichbringsmetothesecond
problemI havewiththeadvice:the
reality ofrandomness.Mostpeople,
mostofthetime,willchoosethree
wordsthatarefarfromrandom
whenconstructinga wholebunch
ofpassphrases.
Whatpeople willdois,totally
subconsciously,adoptpatternsinthe
phrases theycomeupwith.Patterns
inboththeconnectionsbetweenthe
wordsusedto make recalleasierand
patterns betweenthepassphrases
themselvestomakemultipleones
easiertorecall.
Humansjustdon’t do randomness
well;that’swhytherearecomputer-
me-bobsforcreatingtrulyrandomstuff,andmoreonthatlater.There’sa
reallyinterestingpiece of research
fromtheUniversityofCambridge
ComputerLaboratory,admittedly
nowalmost a decadeoldbutstill
relevant,thatexplainsthis very well.
Itsevidenceon multi-word
passphrases,availableatpcpro.
link/ 326 multi, wasprettydamning:
“Byourmetrics,evenfive-word
phraseswouldbehighlyinsecure
againstofflineattacks,”the
researchersfound, becausepeople
naturallyswaytowardsspeech
ratherthanrandomness.“Phraseslike
‘youngman’,whichcome up oftenin
speech,areproportionatelymore
likelytobechosenthanrarephrases
like‘youngtable’,”theresearch
concluded. WhichisexactlywhatI
wouldexpect.
Look,I perfectlyunderstand that
plentyofsecurityprofessionals
disagree with me here.Their
argument is generallyalong the
samelinesasthe NCSC,thatadopting
a three-random-wordsapproachwill
createstrongerpasswordsthanthose
weoftensee being used,and reused,
today.Whichistrue,andI’mnot
suggestingthatPassword,or
P@ssw0rd,orevenP@ssw0rd1,are
super-dupercredentialstobeusing.
WhatI am suggestingisthat rather
thangettingpeople to usethree
supposedlyrandomwords,it would
befarbetterto advisethemtouse
someformofsecurepassword
managerinstead.RIGHTThe1Password
passwordgenerator
isfreetouseand
veryefficient