While some organizations such as Google and Microsoft want to kill off passwords, it's not an easy task considering that it's a traditional form of authentication used heavily by almost all online services. Back in 2016, the National Cyber Security Centre (NCSC) - which is a UK Government organization that provides guidance on cybersecurity - pushed people to choose a combination of three random words as their password when signing up online instead of thinking up or reusing a complex password. The topic sparked quite a debate, and now, the organization has shed more light on why it gave this advice.
The NCSC has highlighted that most websites enforce the use of complex passwords which usually includes a combination of multiple characters and symbols. This counter-intuitively makes the job of malicious actors easier too since they can use these rules and knowledge of existing password patterns to optimize brute-force attacks. It also means that people reuse the same password or variations of it across multiple websites because it's tedious to create and remember numerous complex passwords. This action is also driven by the belief that storing passwords online or offline is risky. While the NCSC admits that passwords can be stolen from either type of repository, the chances are quite low in secure storage solutions and the benefits usually outweigh the risks.
In this vein, the organization believes that it is better to use a combination of three random words. Some reasons for this move includes the increased length of passwords, its adoption as an easy-to-understand standard, its novelty in the current tech landscape, and its usability.
The NCSC has also responded to some concerns that have been raised since it initially provided this guidance both for personal and work use. Some have claimed that search algorithms to guess "three random words" already exist. The organization claims that under its proposed technique, people will still generate their passwords through multiple personalized ways, which means that an attacker may have to use several algorithms to figure out useful passwords. In comparison, given the fixed set of lexical rules that most website enforce on passwords currently, it's easier for an attacker to use a single algorithm to guess passwords.
Regarding claims that this technique will lead to weaker passwords, the NCSC had the following to say:
There are many common passwords that conform to complexity requirements. For example, ‘Pa55word!’ may follow the complexity requirements for a website or service, but is a lousy password as it's quite guessable. Similarly, there are unique complex passwords (generated using three random words) that would not be permitted. Complexity requirements alone is a blunt instrument; to provide a more targeted removal of weak passwords, the NCSC recommend a minimum length requirement combined with the application of password deny lists.
Finally, the cybersecurity body has noted that even three random words as your password is not a silver bullet. It strongly recommends using secure solutions to store passwords generated with this technique and has placed hopes that the wider strategy of reducing reliance on passwords is successful before password diversity in this domain is minimized as well - as is the problem with seemingly complex passwords currently.