Passwords leveraging complex sequences of uppercase letters, lowercase letters, numbers, and symbols are widely believed to be more secure than simpler alternatives, but that’s not something that cyber security experts in the U.K. agree with.
In a new blog post explaining why complexity requirements are overrated, the National Cyber Security Centre (NCSC) urged companies and other organizations to accept passwords comprising three random words as a more effective way of keeping users’ accounts secure.
Although complex strings make sense on a surface level, the NCSC argued that these requirements are actually more likely to result in weaker passwords, as they compel users into choosing predictable and exploitable patterns (e.g., replacing the letter “o” with a zero).
The NCSC believes that the use of three random words is preferable for four reasons.
Currently, complexity requirements are actively working against password diversity (for all the reasons mentioned above). This has led to convergence in strategies and a reduction in password diversity. To increase diversity, we need to encourage people to use other password construction strategies (such as ‘three random words’), that use length rather than character sets to achieve the desired strength. This effectively encourages the adoption of passwords that are currently unused, increasing password diversity in the ecosystem.
Source: National Cyber Security Centre