Three Random Words: The NCSC Solution That Actually Works
After Yesterday's podcast revelation about our collective digital archaeology disaster, let's talk about the solution hiding in plain sight.
The UK's National Cyber Security Centre dropped some wisdom that sounds almost too simple to work: pick three random words for your passwords.
"Coffee train fish." "Wall tin shirt." "CabbagePianoBucket."
Easy to remember, and unlike "password123," they're not on every hacker's greatest hits list. It's practical, secure, and dare I say, cheerful.
Why Complexity Theatre Fails Spectacularly
As discussed on the podcast, password complexity rules started to boost entropy - the nerdy term for unpredictability. But somewhere along the way, it became a game of who can remember the least intuitive string of characters while juggling 250 accounts.
You know what that leads to? Sticky notes under keyboards. Or passwords like "CoolKid94" that haven't been updated since 1994.
The human behaviour statistics from our show tell the complete story:
79% "create" passwords by mashing together words and numbers in barely inventive combinations
18% of people include their pet's name in passwords ("Fluffy123" isn't Fort Knox)
12% use their partner's name (imagine getting hacked and losing both data and dignity)
61% of hacked accounts had passwords under eight characters
Meanwhile, Scientific American research shows that jumping from six characters to twelve makes a password 62 trillion times harder to crack. Trillion with a "T."
So why are we still clinging to the bare minimum? Because complexity sounds like security, but it's a facade.
The NCSC #ThinkRandom Revolution
The beauty is in the randomness. No special characters needed. Three unrelated, simple words, and you're sitting on a password that's easy to remember and a nightmare to crack.
The NCSC's #ThinkRandom initiative? Such a practical masterpiece. It's about "keeping the bad guys out" in a way that doesn't feel like self-torment.
Here's why it works better than password gymnastics:
Entropy Through Length: Three random words typically create 15+ character passwords. Length beats complexity every time for actual security.
Human Memory Compatibility: Our brains remember stories and word combinations far better than abstract symbol sequences. "CabbagePianoBucket" tells a weird story your brain can retain.
Defeats Dictionary Attacks: Random word combinations aren't in any hacker wordlist. "Coffee train fish" appears in zero password databases because normal humans don't think that way.
Meets Complexity Requirements: Most systems require uppercase, lowercase, and numbers. "Coffee7Train2Fish9" satisfies requirements while remaining memorable.
Real-World Implementation for UK SMBs
Instead of the corporate standard "MyCompany2025!" which screams "please hack me," try:
"GreenElephantWhistle"
"BookshelfTuesdayRocket"
"PurpleClockLemmon"
"WindowBreadStaircase"
These combinations:
Meet length requirements (15+ characters)
Include uppercase and lowercase naturally
It is impossible to guess even for people who know you
Don't require special character gymnastics
Create unique mental images for memorability
The Business Psychology Angle
Why does this approach work when complex requirements fail?
Cognitive Load Theory: Human working memory can handle 7±2 items. Three words fit comfortably. "P@ssw0rd!2025#SMB" exceeds cognitive capacity and gets written on sticky notes.
Pattern Recognition: We're wired to remember narratives. "Purple elephant dancing" creates mental imagery. "Gh7$Mk9@Pz4!" creates stress.
Compliance vs Security: Complex requirements create compliance theatre while three random words create actual security. Employees follow policies they can actually implement.
NCSC Implementation Guidelines
The official NCSC guidance recommends:
True Randomness: Don't use three words about your business, family, or interests. "AccountingTaxesProfit" isn't random for an accounting firm.
Quarterly Rotation: Change word combinations every three months. "SummerBeachSandcastle" becomes "AutumnLeafBonfire."
Unique Combinations: Different three-word sets for different accounts. Don't reuse across systems.
Additional Security: Add numbers if systems require them. "Coffee7Train2Fish9" maintains memorability while meeting requirements.
The International Perspective
Why did the NCSC develop this guidance? Analysis of billions of compromised passwords revealed that complexity requirements weren't preventing breaches. Length and randomness were.
Other nations are following suit:
Australia's ACSC adopted similar guidance
Canada's CSE recommends passphrases over complexity
Germany's BSI updated requirements to emphasise length
The UK led this transformation because we recognised that security policies must account for human psychology, not just mathematical complexity.
Common Implementation Mistakes
Wrong: Using related words ("Red Blue Green" - pattern recognition) Right: Using random words ("Bicycle Mustard Volcano" - no logical connection)
Wrong: Using personal references ("DogCatFish" when you have pets) Right: Using abstract combinations ("Thunder Paperclip Ocean")
Wrong: Adding predictable numbers ("Coffee Train Fish 123") Right: Using random number placement ("Coffee7Train2Fish9")
Security Comparison: Traditional vs NCSC
Traditional Approach: "MyC0mp@ny2025!"
12 characters
Predictable business reference
Common substitution patterns (@ for a, 0 for o)
Meets complexity requirements
Forgotten within weeks, written on sticky notes
NCSC Approach: "PurpleElephantTelegraph"
20 characters
Zero predictable patterns
Impossible to guess even with personal knowledge
Naturally meets requirements
Memorable through visual imagery
Security Analysis: The NCSC approach is exponentially more secure despite appearing "simpler."
Moving Beyond Three Words
As we discussed on the podcast, this is transitional guidance. Passkeys and biometric authentication will eventually replace passwords entirely. But during the transition period, three random words are provided:
Superior security to complex passwords
Human-compatible memorability
Business policy compliance
Bridge to a passwordless future
Microsoft is pushing toward passkeys, but until universal adoption, UK SMBs need practical interim solutions. Three random words work across all systems, devices, and scenarios.
Tomorrow's Challenge
Tomorrow, Mauven explores the psychology behind why we stick to terrible password habits despite knowing better. Why do 44% of people never change passwords? Why does 78% password reuse persist despite constant breach warnings?
The answer isn't technical—it's human. Understanding human psychology is crucial for implementing security that works in practice, not just on paper.
Wednesday's question: If three random words are so effective, why do people resist adopting them? Mauven will dive deep into the behavioural science that explains our digital security failures.
Spoiler alert: The problem isn't that people don't understand security. The problem is that our security systems don't understand people.
Sources
| Source | Type | Title/Description |
|---|---|---|
| NCSC | Government Agency | Three Random Words Guidance |
| Scientific American | Publication | Memory Trick Increases Password Security |
| Podcast | Audio Content | Passwords are Dead, Long Live Passwords |
| NCSC | Government Blog | The Logic Behind Three Random Words |
| Specops Software | Security Analysis | Three Random Words Passwords - How Secure is This Method? |
| Paul Reviews | Security Critique | Passwords: Using 3 Random Words Is A Really Bad Idea! |
| Big Think | Science Publication | Strong Passwords: The Mathematical Power of 3 Random Words |
| HS Today | Security Magazine | Why Three Random Words Make the Best Passwords |
