-2

I checked several password policies that establish that 2 or more repetitive characters are not allowed in the password, example: "xxxxx5". But that policy doesn't make sense to me because the password space is reduced, (the xxxxx5 is an extreme insecure password I know, but there are really good passwords that use repetitive characters and increment the password entropy) and I think that this kind of passwords are more easy to crack using a brute force attack (there are less passwords that are needed to check).

Am I missing something?

I'm not a security expert so...

Could anybody explain me if this policy is right or wrong?

Thanks

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Miguel A. Carrasco
  • 1,379
  • 1
  • 15
  • 26
  • 1
    Obligatory link: [correct horse battery staple](http://xkcd.com/936/) - passwords should be free of such historical outdated nonsense –  Nov 07 '12 at 01:34
  • Thanks for share this link, as you can see although correct.horse.battery.staple is a good password the described policy doesn't allow it as a valid one!! (because of the tt and rr) – Miguel A. Carrasco Nov 07 '12 at 17:20
  • re:user166390, I don't think something "correcthorsebatterystaple" would make a good password, easy to dictionary attack? – KoKo Feb 09 '14 at 16:56

3 Answers3

1

For ease of calculation let's assume that we're only allowing alphanumeric passwords. So we have 26 + 26 + 10 characters to choose from.

If we also assume that the password has a maximum length of 8 characters we have a password space of 62 ^ 8.

Also only one string of 5 repetitive characters could be used per password which means that we reduce the password space by 62 leaving us with (62 ^ 8) - 62 password possibilities. The amount of space reduced is entirely insignificant compared to the added security of preventing someone from entering an extremely weak password.

Spencer Ruport
  • 34,865
  • 12
  • 85
  • 147
  • 1
    A much more harmful policy is probably the maximum length of 8 characters. Making passwords much longer should help against brute-force attacks a lot. And an easy way to do this is to pad your 8 character password with simple patterns such as repetitions. A proper 30-letter random password would be better, but since those are hard to manage, blowing up a good 8-letter password with some simple pattern to become 30 letters is a big improvement. – Thilo Nov 07 '12 at 01:20
  • @Thilo - Agreed. I was just picking numbers as a demonstration. – Spencer Ruport Nov 07 '12 at 01:21
  • 1
    And I was not picking on you. I am happy you brought up the max length, because this is being enforced in many systems, and it is very counter-productive, probably undoing any good other password policies provide. Cannot understand the reasoning, either, because if you store hashes, the length does not matter at all for the server-side storage. Sad, but true story: My bank updated their online banking system recently and forced me to change my password to a *shorter* one. – Thilo Nov 07 '12 at 01:24
  • Thanks for your response, but the policy that I described before it's about any consecutive repetitive characters (2 or more) not just 5, in that case the password space is reduced more. I know that the "xxxxx5" example is an extreme insecure password, but for example this.. "jj4ooo" is a good password that this policy doesn't allow – Miguel A. Carrasco Nov 07 '12 at 16:59
1

I agree that this policy does not make too much sense above being part of the "avoid dictionary words and other trivial passwords" (but that is a valid policy).

While excluding those does reduce the size of the password space, hackers do work with word lists, and words on that list get tried first, so traditionally, you'd want to forbid those. However, I am not sure how important this still is. Seems more important to me to make your password as long as possible, and throwing in extra repetitive characters should be preferable to the same, but shorter password with this padding removed.

Passwords that are "simple" and short at the same time are obviously bad no matter how you look at it. So excluding "xxxxx5" is a good policy, but "hys99h23sblahblahblahblahblahblahblah" is probably a good password.

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • "throwing in extra repetitive characters" looks like a good idea if after throwing you count if the resulting string has the minimum length – Miguel A. Carrasco Nov 07 '12 at 17:14
  • you should be getting to a minimum length without the padding characters. "xxxxx5" is not good. – Thilo Nov 08 '12 at 05:51
1

Disallowing good passwords that happen to have repeated characters, like jjjbtieooygn, does slightly reduce security, since it very slightly reduces the search space (assuming the attacker knows the rules).

But the point of such restrictions is to disallow really poor passwords like jjjkkklllmmm.

An ideal solution would be to reject easily broken passwords -- but judging whether a password is easily broken is an extremely hard problem. It wouldn't be an issue if users could be trusted to use good passwords, but according to this article the three most popular passwords are password, 123456, and 12345678.

Rejecting xxxxx5 is far more likely to catch someone trying to use a really bad password than to inconvenience someone who happened to get xxxxx5 from a high-quality random number generator.

Keith Thompson
  • 254,901
  • 44
  • 429
  • 631
  • Ok, so basically this kind of policy try to prevent that users choose a wordlist password at the cost of reducing the password space, although it is not the best solution, it's a "practical" solution, because its a hard problem to determine if a password is crackeable using a wordlist (without using a wordlist) isn't it?, thanks for your response. – Miguel A. Carrasco Nov 07 '12 at 17:08