Should we all switch our passwords to three random words?

300troop

A recent UK National Cyber Security Centre report recommended that that passwords of three random words are better than a complex one. Any views?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

MerryBit

At least one person thinks it's a bad idea:

https://paul.reviews/passwords-why-using-3-random-words-is-a-really-bad-idea/

Personally, I say it's... complicated. 😉

ag_ana

@300troop:

It's important that the password is as long as possible. Since you can use 1Password to generate also word-based passwords if you prefer, just make sure that you choose the best possible option that the website accepts :+1:

Personally, I use word-based passwords wherever I can, but longer than 3 words since I don't need to remember them anyway ;)

[Deleted User]

@300troop I think the NCSC's message is aimed at people who are not using a password manager. The argument for using passphrases built of dictionary words is that they are secure enough and more memorable than a purely random password. Generally speaking, people using a password manager don't need to remember passwords and so should use purely random passwords as they are more secure. The exception, I think, is where you might need to say a password over the phone or enter it into an app on an unsupported platform, e.g. a TV. In this case, it makes sense to use passphrases or passwords with easy to read patterns.

ag_ana

Indeed. And, just for the benefit of the discussion, there is also the opposite theory that suggests that passphrases are actually better than complex passwords: https://1password.community/discussion/111531/the-fbi-now-says-pass-phrases-are-more-secure-than-passwords-with-extended-special-characters

meeee11111

I also found that article by Paul about how hackable 3 word passwords are, and now found this discussion. If my iPhone ever got remote rooted through hacking or stolen (and shut off so I can't use Find My iPhone to wipe the device) and they use a GrayKey tool or other device to physically get into my iPhone, would the Secret Key be bypassed?

So then my only layer of protection would be my three word password?

I'd like to continue using a 3 word password because it's easier to remember and quicker to type out than a 6 word, so I'm curious if the Secret Key could be bypassed in these cases and the only protection is my 3 word password.

https://paul.reviews/passwords-why-using-3-random-words-is-a-really-bad-idea/
https://appleinsider.com/articles/21/06/22/iphone-hacking-tool-graykey-techniques-outlined-in-leaked-instructions

ag_ana

@meeee11111:

If my iPhone ever got remote rooted through hacking or stolen (and shut off so I can't use Find My iPhone to wipe the device) and they use a GrayKey tool or other device to physically get into my iPhone, would the Secret Key be bypassed?

So then my only layer of protection would be my three word password?

The password is what protects your 1Password data on your device. If someone has complete control over your device without your authorization, even remotely, then that is what protects you at the end of the day.

The Secret Key protects you from a different type of risk:

Your Master Password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your Master Password, which only you know.
Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.

So in your scenario, it's the Master Password that protects you.