Password cracking with What3Words based wordlists ...
I've recently had a couple of things drawn into my consciousness and after a bit of bouncing around on the inside of my skull they collided. Interestingly they both hinge around the same principle - and that's where there might be a little chink in the armour.
It seems that human beings are quite good at managing short sequences of three words. Recent NCSC guidance has pointed users at creating passwords from "three random words". (Not an original idea on their part there - but getting traction given their influence. Not everyone is a fan though.)
For lots of reasons (outlined in the NCSC article above) this is actually a pretty reasonable idea. However - as is a well documented universal truth - humans are astonishingly good at taking the path of least resistance. This is why we need guidance like the above in the first place after all, if we (as a species) were capable of choosing, remembering and using complex, un-guessable passwords not based the names of our favourite football team, pet or date of birth this advice wouldn't actually be needed and a bunch of password manager business models would be shot.
Enter stage left What3Words who recently hit the press for all the wrong reasons. To summarise this for anyone who hasn't come across it it makes use of a similar piece of psychology - using three words to pinpoint a physical location rather than relying on the less memorable latitude and longitude references. So instead of 48.8583736, 2.2922926 we get investor.savings.lance - both of which relate to the Eiffel Tower in Paris.
Enter stage right the human being - a messy bag of emotions and sentimentality. We don't really do "random" - we do things that have a meaning to us, consciously or unconsciously, we have biases and so on. Which is why we chose the names of loved ones, pets and important dates for our current lousy password choices.
Some of you will have already guessed where I am going with this. We have a custom made service on the internet for creating "random three word passphrases" based around something that is meaningful to an individual. So the person who's password used to be "ManchesterUnited" is now "nurses.librarian.ruby" ...
I'm not suggesting that this is going to necessarily have a huge impact, that many people will know (although the fact that if you search "What three words" you end up there will introduce a little passing traffic I'm sure ...) or that many will make use of it - but as a place to start constructing password cracking word lists that can start to assault the new standard it is one worth considering ...