We often get asked about why uLearn courses recommend users to create passwords by picking random words and adding them together.
This method of creating a password - known as the 'random words technique' or 'passphrase', is the current best practice recommended by major cyber security agencies and organizations across the globe.
U.S. Federal Trade Commission
Consider using a passphrase of random words so that your password is more memorable
- from the Password Checklist
UK National Cyber Security Centre
By combining three random words - you can create a password that's 'random enough' to keep the bad guys out, but also 'easy enough' for you to remember
Australian Cyber Security Centre
A unique, strong passphrase can better protect your account compared to a simple password
- from Passphrases advice
What is the random words technique?
The random words technique is an easy way to create a fairly strong and fairly memorable password.
All it requires is that users choose a minimum of three random words, that are entirely unrelated to them, their interests, their work, or anything else that could be guessed by a third party, and add them together to create a password.
For example, you might pick stool, Hungary, and wrath to create stoolHungarywrath as your new password.
To meet any complexity requirements, we advise users they can capitalise letters or add numbers and special characters to their password. However, major cyber security agencies now recommend service creators to not use complexity requirements (more info on this as well below).
Shouldn't users be encouraged to create more 'complex' passwords?
At first glance, a password like 'stoolHungarywrath' may look less secure than a password such as '!fhS7dn&4h!'. While a password such as the latter may take longer for a brute-force mechanism to crack, as long as a password has 12 or more characters and isn't one of the commonly used ones (such as 'mypassword' or 'qwerty123') it's going to take a long time for a brute force mechanism to blast through it.
More importantly, passwords are used by people. We encourage users to set a unique password for each of their devices and accounts, which helps protect them in case one password became breached. It would be impossible, however, for a user to remember a password such as '!fhS7dn&4h!' for each of their numerous accounts and devices. By setting onerous complexity requirements, users are only encouraged to write down their passwords and re-use passwords across accounts as they will have no other way to remember them.
Encouraging users to create passwords with the random passwords technique, therefore, strikes a balance between offering a good amount of protection against brute force attacks, while making it possible for users to actually remember their passwords.
Shouldn't users be encouraged to use password management tools - allowing them to create long and complex passwords?
Password management tools offer one way to let users create more complex passwords to their online services without having to remember them.
However, password management tools can also serve as an easy way for a cyber criminal to get access to all of a user's accounts should the tool become compromised, or should the user not set a strong enough password for the tool itself.
While we recognise password management tools still offer benefits and are used by many companies now, we focus our advice on helping users set strong and unique passwords rather than relying on tools.