https://www.theguardian.com/technolo...on-experts-say
In a blogpost, the National Cyber Security Centre (NCSC) – which is part of Government Communications Headquarters – said a three-word system creates passwords that are easy to remember. In addition, it creates unusual combinations of letters, which means the system is strong enough to keep online accounts secure from cybercriminals. By contrast, more complex passwords can be ineffective as their makeup can often be guessed by criminals using specialist software.
The agency said cybercriminals targeted predictable strategies meant to make passwords more complex. Examples include substituting the letter O with a zero, or the number one with an exclamation mark.
Criminals allow for such patterns in their hacking software, negating any added security from such passwords. “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” the agency said.
By contrast, passwords constructed from three random words tended to be longer and harder to predict, and used letter combinations that were more difficult for hacking algorithms to detect, it said.