It is far better to concoct passwords made up of three random words than to use more complex variations involving streams of letters, numbers and symbols, UK government experts have said.

The National Cyber Security Centre (NCSC), part of Government Communications Headquarters, highlighted its “three random words” recommendation in a new blogpost.

It said a key reason for using the system is it creates passwords that are easy to remember, yet strong enough to keep online accounts secure from cybercriminals, owing to their unusual combination of letters.

By contrast, more complex passwords can be ineffective because sometimes they are more guessable for criminals and the software they build to detect them, according to the advice.

The agency says cybercriminals target predictable means that are supposed to make passwords more complex – such as substituting the letter O with a zero, or the number one with an exclamation mark.

Criminals allow for these kinds of patterns in their hacking software, which negates any added security from such passwords.

“Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” the agency said.

Passwords constructed from three random words tended to be longer and harder to predict, and used letter combinations that were more difficult for hacking algorithms to detect, according to the advice.

The blogpost conceded that using three random words was not 100% safe because people might use predictable word combinations, but said a major advantage of the system was its usability “because security that’s not usable doesn’t work”.

Cybercrime has soared during the pandemic, with online fraud rising 70% over the past year, according to data from the Office for National Statistics.

“Traditional password advice telling us to remember multiple complex passwords is simply daft,” the NCSC’s technical director, Dr Ian Levy, said on the centre’s website.

“There are several good reasons why we decided on the three random words approach – not least because they create passwords which are both strong and easier to remember.

“By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”