Image: TheDigitalArtist (Pixabay)

Passwords leveraging complex sequences of uppercase letters, lowercase letters, numbers, and symbols are widely believed to be more secure than simpler alternatives, but that’s not something that cyber security experts in the U.K. agree with.

In a new blog post explaining why complexity requirements are overrated, the National Cyber Security Centre (NCSC) urged companies and other organizations to accept passwords comprising three random words as a more effective way of keeping users’ accounts secure.

Although complex strings make sense on a surface level, the NCSC argued that these requirements are actually more likely to result in weaker passwords, as they compel users into choosing predictable and exploitable patterns (e.g., replacing the letter “o” with a zero).

The NCSC believes that the use of three random words is preferable for four reasons.

Currently, complexity requirements are actively working against password diversity (for all the reasons mentioned above). This has led to convergence in strategies and a reduction in password diversity. To increase diversity, we need to encourage people to use other password construction strategies (such as ‘three random words’), that use length rather than character sets to achieve the desired strength. This effectively encourages the adoption of passwords that are currently unused, increasing password diversity in the ecosystem.

Source: National Cyber Security Centre

Don’t Miss Out on More FPS Review Content!

Our weekly newsletter includes a recap of our reviews and a run down of the most popular tech news that we published.

Join the Conversation


  1. I’ve always heard to just use the opening line to a poem, song or nursery rhyme. Make it memorable, but long.

  2. Wow these guys must read xkcd and post what he did like 5 years ago.


  3. My wife thought I was crazy for using a password manager. We have some services that have those really difficult-to-meet password requirements, and just writing them down in a notepad was no longer cutting it.

    So then I changed our bank account password to one of those 24 character random sequences. She stopped laughing and asked for the download for the app.

Leave a comment