This article is more than 1 year old

UK's National Cyber Security Centre recommends password generation idea suggested by El Reg commenter

Who says everything below the line is a cesspit of useless filth?

Nearly a third of Britons use the name of their pet or a family member as a password, the National Cyber Security Centre has said as it advised folk to adopt what looks very much like a Register forum user's suggestion for secure password generation.

A survey of 1,282 British adults commissioned by the NCSC showed that 15 per cent used a pet's name while 14 per cent use the name of a family member as a password.

The old staples of "123456" and "password" still each account for 6 per cent of login phrases used by Brits, the GCHQ offshoot found.

As an antidote to this (and 40 per cent of us don't use crap passwords made up of birthdays or our favourite football teams), the NCSC recommended using "strong passwords made up of three random words," immediately bringing to mind that location-finding app, what3words.

Nicola Hudson, NCSC director of policy and comms, said in a canned statement: "We may be a nation of animal lovers but using your pet's name as a password could make you an easy target for callous cyber criminals."

She urged world+dog to visit new campaign website "and follow our guidance on setting secure passwords which recommends using passwords made up of three random words."

thing explainer - cover of randall munroe's book

Randall Munroe spoke to The Reg again. We're habit-forming that way


On this one it seems NCSC have been reading The Register rather closely: the suggestion of using three words for a unique but easy-to-remember password was made by commenter Steve Davies 3 back in March last year. He advised using what3words, which divides the world up into 3m2 grid squares and assigns each of them a three-word code. Hence the single most valuable building in Great Britain can be identified as handed.dawn.short rather than Ordnance Survey grid reference SJ 89773 90375.

Steve was ahead of the usual human laziness inherent in password generation, suggesting that users pick a spot which wasn't their home front door as a unique memorable location. Once they'd generated three words from a random location he advised reordering them for extra security.

Nonetheless, we're certain there'll be at least one analyst out there who reads this and then changes his work device's password to cats.snake.native.

Alternatively, it's also possible the GCHQ offshoot isjust shortening advice from Randall "XKCD" Munroe, who has said four random words is the way to go.

Other handy NCSC advice includes not reusing passwords for your email address, on the basis that your inbox is where all your password reset messages end up; someone malicious getting hold of that allows them to reset all your linked accounts at their leisure.

The agency also advised the use of your web browser's built-in password manager to save your long and complex passwords in, lest you forget them and lock yourself out.

Adenike Cosgrove, a cybersecurity strategist from email security biz Proofpoint, opined that passwords will probably become old hat soon, saying: "We have already seen a rise in methods such as facial recognition and other biometric authentication forms in use in place of the traditional password."

She added: "This shift may be essential, because although technical vulnerabilities may be harder to exploit in future, humans are already and will remain the most targeted link in cyber security, with the most tech-savvy individuals vulnerable to increasingly personalised and complex attacks."

If anyone's got a practical method of resetting your face after your encrypted mugshot is abused by crims, let us know by sticking it in the comments. ®


If you're not yet a member of our forums, it's much more fun to get stuck in than just to lurk. You don't have to post under your real name, either. You can join the fray below by signing up for an account here.

More about


Send us news

Other stories you might like