NCSC Three Random Words: UK Password Solution That Works | The Small Business Cybersecurity Guy

After Yesterday’s podcast revelation about our collective digital archaeology disaster, let’s talk about the solution hiding in plain sight.

The UK’s National Cyber Security Centre dropped some wisdom that sounds almost too simple to work: pick three random words for your passwords.

“Coffee train fish.” “Wall tin shirt.” “CabbagePianoBucket.”

Easy to remember, and unlike “password123,” they’re not on every hacker’s greatest hits list. It’s practical, secure, and dare I say, cheerful.

Why Complexity Theatre Fails Spectacularly

As discussed on the podcast, password complexity rules started to boost entropy - the nerdy term for unpredictability. But somewhere along the way, it became a game of who can remember the least intuitive string of characters while juggling 250 accounts.

You know what that leads to? Sticky notes under keyboards. Or passwords like “CoolKid94” that haven’t been updated since 1994.

The human behaviour statistics from our show tell the complete story:

79% “create” passwords by mashing together words and numbers in barely inventive combinations
18% of people include their pet’s name in passwords (“Fluffy123” isn’t Fort Knox)
12% use their partner’s name (imagine getting hacked and losing both data and dignity)
61% of hacked accounts had passwords under eight characters

Meanwhile, Scientific American research shows that jumping from six characters to twelve makes a password 62 trillion times harder to crack. Trillion with a “T.”

So why are we still clinging to the bare minimum? Because complexity sounds like security, but it’s a facade.

The NCSC #ThinkRandom Revolution

The beauty is in the randomness. No special characters needed. Three unrelated, simple words, and you’re sitting on a password that’s easy to remember and a nightmare to crack.

The NCSC’s #ThinkRandom initiative? Such a practical masterpiece. It’s about “keeping the bad guys out” in a way that doesn’t feel like self-torment.

Here’s why it works better than password gymnastics:

Entropy Through Length: Three random words typically create 15+ character passwords. Length beats complexity every time for actual security.

Human Memory Compatibility: Our brains remember stories and word combinations far better than abstract symbol sequences. “CabbagePianoBucket” tells a weird story your brain can retain.

Defeats Dictionary Attacks: Random word combinations aren’t in any hacker wordlist. “Coffee train fish” appears in zero password databases because normal humans don’t think that way.

Meets Complexity Requirements: Most systems require uppercase, lowercase, and numbers. “Coffee7Train2Fish9” satisfies requirements while remaining memorable.

Real-World Implementation for UK SMBs

Instead of the corporate standard “MyCompany2025!” which screams “please hack me,” try:

“GreenElephantWhistle”
“BookshelfTuesdayRocket”
“PurpleClockLemmon”
“WindowBreadStaircase”

These combinations:

Meet length requirements (15+ characters)
Include uppercase and lowercase naturally
It is impossible to guess even for people who know you
Don’t require special character gymnastics
Create unique mental images for memorability

The Business Psychology Angle

Why does this approach work when complex requirements fail?

Cognitive Load Theory: Human working memory can handle 7±2 items. Three words fit comfortably. “P@ssw0rd!2025#SMB” exceeds cognitive capacity and gets written on sticky notes.

Pattern Recognition: We’re wired to remember narratives. “Purple elephant dancing” creates mental imagery. “Gh7$Mk9@Pz4!” creates stress.

Compliance vs Security: Complex requirements create compliance theatre while three random words create actual security. Employees follow policies they can actually implement.

NCSC Implementation Guidelines

The official NCSC guidance recommends:

True Randomness: Don’t use three words about your business, family, or interests. “AccountingTaxesProfit” isn’t random for an accounting firm.

Quarterly Rotation: Change word combinations every three months. “SummerBeachSandcastle” becomes “AutumnLeafBonfire.”

Unique Combinations: Different three-word sets for different accounts. Don’t reuse across systems.

Additional Security: Add numbers if systems require them. “Coffee7Train2Fish9” maintains memorability while meeting requirements.

The International Perspective

Why did the NCSC develop this guidance? Analysis of billions of compromised passwords revealed that complexity requirements weren’t preventing breaches. Length and randomness were.

Other nations are following suit:

Australia’s ACSC adopted similar guidance
Canada’s CSE recommends passphrases over complexity
Germany’s BSI updated requirements to emphasise length

The UK led this transformation because we recognised that security policies must account for human psychology, not just mathematical complexity.

Common Implementation Mistakes

Wrong**:** Using related words (“Red Blue Green” - pattern recognition) Right: Using random words (“Bicycle Mustard Volcano” - no logical connection)

Wrong: Using personal references (“DogCatFish” when you have pets) Right: Using abstract combinations (“Thunder Paperclip Ocean”)

Wrong: Adding predictable numbers (“Coffee Train Fish 123”) Right: Using random number placement (“Coffee7Train2Fish9”)

Security Comparison: Traditional vs NCSC

Traditional Approach: “MyC0mp@ny2025!”

12 characters
Predictable business reference
Common substitution patterns (@ for a, 0 for o)
Meets complexity requirements
Forgotten within weeks, written on sticky notes

NCSC Approach: “PurpleElephantTelegraph”

20 characters
Zero predictable patterns
Impossible to guess even with personal knowledge
Naturally meets requirements
Memorable through visual imagery

Security Analysis: The NCSC approach is exponentially more secure despite appearing “simpler.”

Moving Beyond Three Words

As we discussed on the podcast, this is transitional guidance. Passkeys and biometric authentication will eventually replace passwords entirely. But during the transition period, three random words are provided:

Superior security to complex passwords
Human-compatible memorability
Business policy compliance
Bridge to a passwordless future

Microsoft is pushing toward passkeys, but until universal adoption, UK SMBs need practical interim solutions. Three random words work across all systems, devices, and scenarios.

Tomorrow’s Challenge

Tomorrow, Mauven explores the psychology behind why we stick to terrible password habits despite knowing better. Why do 44% of people never change passwords? Why does 78% password reuse persist despite constant breach warnings?

The answer isn’t technical—it’s human. Understanding human psychology is crucial for implementing security that works in practice, not just on paper.

Wednesday’s question: If three random words are so effective, why do people resist adopting them? Mauven will dive deep into the behavioural science that explains our digital security failures.

Spoiler alert: The problem isn’t that people don’t understand security. The problem is that our security systems don’t understand people.

Sources Table

    body {
        font-family: Arial, sans-serif;
        margin: 20px;
        background-color: #f5f5f5;
    }
    
    .container {
        max-width: 100%;
        margin: 0 auto;
        background-color: white;
        padding: 20px;
        border-radius: 8px;
        box-shadow: 0 2px 10px rgba(0,0,0,0.1);
    }
    
    h1 {
        color: #333;
        text-align: center;
        margin-bottom: 30px;
    }
    
    table {
        width: 100%;
        border-collapse: collapse;
        margin: 20px 0;
    }
    
    th, td {
        padding: 12px 15px;
        text-align: left;
        border-bottom: 1px solid #ddd;
    }
    
    th {
        background-color: #4CAF50;
        color: white;
        font-weight: bold;
    }
    
    tr:nth-child(even) {
        background-color: #f9f9f9;
    }
    
    tr:hover {
        background-color: #f5f5f5;
    }
    
    td {
        vertical-align: top;
    }
    
    .source-title {
        font-weight: bold;
        color: #2c3e50;
    }
    
    a {
        color: #3498db;
        text-decoration: none;
    }
    
    a:hover {
        color: #2980b9;
        text-decoration: underline;
    }
    
    em {
        color: #e74c3c;
        font-style: italic;
    }



    # Sources

Sources

Source	Type	Title/Description
NCSC	Government Agency	Three Random Words Guidance
Scientific American	Publication	Memory Trick Increases Password Security
Podcast	Audio Content	Passwords are Dead, Long Live Passwords
NCSC	Government Blog	The Logic Behind Three Random Words
Specops Software	Security Analysis	Three Random Words Passwords - How Secure is This Method?
Paul Reviews	Security Critique	Passwords: Using 3 Random Words Is A Really Bad Idea!
Big Think	Science Publication	Strong Passwords: The Mathematical Power of 3 Random Words
HS Today	Security Magazine	Why Three Random Words Make the Best Passwords