GCHQ, the UK intelligence agency, is urging computer users to ditch complex passwords for simpler ones, consisting of three random words strung together, and to use password managers.

Its guidelines fly in the face of common wisdom, which says that passwords should contain a mixture of letters, numbers and symbols and be at least 10 to 12 characters long. That said GCHQ’s rationale makes sense. Many people have at least ten online accounts, and often more, for services, shopping and workplace network access. Trying to remember long complex passwords is a near impossibility and as a result people often have only one or two that they use across a number of accounts.

GCHQ says using passwords made from three random words, and also using password managers, is be enough to keep people safe as long as they are also using proven internet protection to keep malware out.

Note the emphasis on password managers. These software tools automatically generate passwords on your behalf and secure them in a digital strong box.

The suggestions seem sensible at face value, allowing users to remember passwords and not advocating the use of complex passwords for each service they use.

However, and unsurprisingly, some people will be sceptical about advice from GCHQ which in the past has lobbied for backdoors to be placed in software and also the weakening of encryption used on messaging apps and some email services. In short, it is renowned for snooping as revealed by Edward Snowden.

That said, if GCHQ wanted to hack specific passwords, whether complex strings of letters, numbers and characters, or three random words strung together, it most surely could.

The organisation has powerful technology available which can be used to attack other country's communications, weapons systems and even infrastructure, including supercomputing capacity, which could crack even the toughest of passwords.

If you’re interested in the report from GCHQ it can be found here.

Two-factor authentication

Finally, as a reminder BullGuard would also like to add that two-factor authentication (often shortened to 2FA) is invaluable in helping protect your accounts and should be used where ever possible.
  • Two-factor authentication provides a way of 'double checking' that you really are the person you are claiming to be when you're using online services, such as banking, email or social media. It is available on most major online services.
When setting up 2FA, the service will ask you to provide a 'second factor', which is something that you (and only you) can access. This could be a code that's sent to you by text message, or one that is created by an app.
  • Passwords can be stolen by cyber criminals, potentially giving them access to your online accounts. However, accounts that have been set up to use 2FA will require an extra check, so even if a criminal knows your password, they won't be able to access your accounts.
  • It’s a good idea to set up 2FA on 'high value' accounts that protect things that you really care about, and would cause the most harm to you if the passwords to access these accounts were stolen.
  • You should also use it for your email, to deter criminals from gaining access to your email inbox which may contain sensitive information relating to financial transactions that could be exploited.