Britain’s National Cyber Security Centre recently said a three-word system for passwords can be effective at deterring hackers.  The word combinations are easier to remember than random passwords. But outside experts say that you still need to be vigilant about how you create your passwords.  “People should avoid using words that are very simple or obvious,” Jim Gogolinski, a vice president at the cybersecurity firm iboss, told Lifewire in an email interview. “For instance, Password123 isn’t a great password. Additionally, with so many people posting updates of their lives on social media sites, it’s important not to use a word that can be easily tied to you.” Avoid your child’s or pet’s names, birth date, street names, or anything else that could be easy to find on a public site, Gogoglinski said, adding that “a password should be unique to the individual, but hard to crack.”

Patterns Are Your Enemy

In a recent blog post, the National Cyber Security Centre said that hackers target common methods intended to make passwords more complex. For example, many users exchange the letter O with a zero or the number one with an exclamation mark. Software that cybercriminals use is programmed to look out for common password patterns, rendering them ineffective.  “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” the agency wrote. However, there’s an easy fix to the password complexity problem. Passwords made up of three random words are usually longer and harder to predict, the Centre said. Hacking programs typically have a harder time cracking these word combinations.  “Using memorable phrases that are associated with the site or service is totally fine, especially if using a password tool is not something you like to do,” Daniel Markuson, a digital privacy expert at cybersecurity firm NordVPN, told Lifewire in an email interview. “Avoid using your ‘username’ or personal information that could be easily Googled in your passwords, and of course, a simple sequence of letters and numbers is almost worse than no password at all.”

Not All Passwords Are Equal

Some cybersecurity experts had caveats about the Security Centre’s recommendation to use words instead of characters.  Passwords made up of words are easier to remember than random complex strings of letters, but it’s important that the password is still long and complicated, Joseph Carson, chief security scientist at cybersecurity firm Thycotic, told Lifewire in an email interview.   “It is imperative to note that the recommendation is to combine multiple words together as it will make the password long but also easier to remember,” he added.    The longer the word combination, while continuing to include special characters, will make it more difficult for password cracking techniques to be successful, Carson pointed out.  Words are better than randomized passwords because they can be easily remembered instead of being written down, Tyler Shields, chief marketing officer of cybersecurity firm JupiterOne, told Lifewire in an email interview.  “If you must use a password, get a password manager and use very complex, difficult to guess, randomly generated passwords via those tools,” Shields said.  The most secure option is to use a multi-factor authentication tool, an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence, experts say.  “With multi-factor authentication, you get a new password every time you need it,”  James Arlen, a security expert at cloud data firm Aiven, told Lifewire in an email interview. “It’s much harder to guess a password that changes every minute.” Many browsers have built-in password generators, such as Google Chrome, pointed out Jacqueline Lowy, CEO of the private intelligence firm Sourced Intelligence. Otherwise, pick a random string of 3-4 words and replace characters to make them more secure.  “It could be lyrics from a favorite poem, a nursery rhyme you sing to your kids or even a phrase that combines languages,” Lowy told Lifewire in an email interview. “Be creative, and make sure you use different passwords across all platforms.”