Every time you introduce a password constraint, you've reduced the potential password complexity. I absolutely hate arbitrary password requirements. "not more than 2 identical characters in a row"? WTF? Stop with this nonsense.
"not more than 2 identical characters in a row"? WTF? Stop with this nonsense.
This is OT, but there's an interesting snippet in "The Secret Life of Bletchley Park" [1] about decoding Enigma messages used by the Italian Navy in the Med.
One of the female operators had a set of messages from one Italian operator who sent a message once a week on a regular basis. They had determined that the first letter was an 'L'. She looked at the keyboard, saw that 'L' was neatly placed under the right hand and guessed that he was sending a test message consisting of nothing but 'L's tapped out in quick succession. Voila! She hit the jackpot.
From this insight, all dial wirings and movements of the Italian machines could be quickly deduced.
So, repetitive plain text can be a security issue.
That's a vulnerability for cyphers and has no application to modern password systems. If a password were all Ls up to the minimum then certainly that would be a bad idea, but having two Ls in a row because your password happens to contain or be a derivative of a word that has two Ls has no bearing on how secure the password is.
Neither of those hashes would give an attacker the slightest bit of insight into the user's password even if the attacker suspected the first letter of each were an L.
> having two Ls in a row ... has no bearing on how secure the password is.
At least some password cracking programs are built to anticipate human tendencies, which I would guess includes repeating characters. If I were designing a password cracker, I would target human-created passwords and not random passwords. For example, I would have the program guess 123456 before it guesses R%Vg9~\
If I have a password 10 characters long with at least one uppercase, one lowercase, 1 digit, and 1 special character then having one of those repeated won't make it any less secure. Rigidly enforcing that rule doesn't make sense, it's saying that "R%Vg9~\LL" is less secure than "R%Vg9~\".
Sure, but in analyzing a password for acceptable entropy, one should be smart enough to dilineate between:
LLLLLLLLLL
and
8x~3uLLx&#@_o
But most people who write password analysis are doing some really quick and dirty checks like [name/email not in password], [password exceeds X chars], [password contains at least 1 of these chars], etc. If you're going to introduce some other check, it should have the nuance to provide some allowances. I've had my auto-generated, 20-char digit/char/symbol PW from keepass get rejected for such things.
> Really? "(uJgP6h9=8Uc6x?}#B6Q" isn't enough for you?
Not after you've posted it on HN. That's only half joking...the biggest vulnerability in any password system is the humans involved. Security advisors should design around the natural behavior of their users, not try to force users into acting unnaturally. Otherwise, users will figure out how to introduce vulnerabilities that get around the constraints imposed upon them (the oft-cited writing passwords down).
The password "(uJgP6h9=8Uc6x?}#B6Q" (no quotation marks) has been scientifically determined to be the most complex password. Please make sure to change every password to this new password within 24 hours.
> One of the female operators had a set of messages from one Italian operator who sent a message once a week on a regular basis.
That was the most important mistake from the Italian operator.
> So, repetitive plain text can be a security issue.
The only thing that should be discouraged is that a password should contain only one repeated character, which is probably part of many dictionaries. Any variant (LLLLLLLLLLM) would pretty secure, the longer the better.
That doesn't mean constraints like 'no repeated characters' is a good idea. It gives the attacker significantly more information about the plaintext if they know they can rule out all strings with duplicated characters.
It still reduces the potential brute force search space. Instead of forcing a clever brute forcer to search all of the horribly insecure passwords with no special characters and repeating characters, you're telling them up front that they can cut certain strings out of their search space.
I can see both sides of the argument, but often the password complexity rules result in users writing down their passwords on sticky notes. You could make the argument that if an attacker is at the desk, you're already compromised, but still it's probably better to just enforce a policy of reasonable password complexity no matter what it is. They have javascript password complexity indicators on many sites now, I think that should become standard.
> It still reduces the potential brute force search space.
I may be playing Devil's advocate, & these may be the ramblings of a fool but...
The space of possible passwords with "N characters" is many, many times larger than the space with "1 to N-1 characters" combined. Infact it makes it reasonably insignificant?
