Can a password have more than 3 of the same type of character in a row?
OWASP recommends this practice and so do some other companies. I think it makes sense at first glance but if you think about it, it actually limits entropy instead of increasing it. How many combinations would be reduced with this rule? I calculated their minimum entropy (10 characters, all 4 types) to be 3e19. Not having characters would limit it quite a bit I would imagine. I don't know how much but I would bet there would be a lot using the birthday paradox as guidance.
What's the benefit? Is there a gain elsewhere, perhaps in the password cracking methodology? As far as I can tell, there isn't much there that I can think of. Can anyone explain why it's benefits outweigh the negatives or perhaps maybe it is just a bad rule and why OWASP and others think like this.
You asked - Can a password have more than 3 of the same type of character in a row, the answer is yes. While it's true that the rule limits overall entropy, I think the real question you should ask is how common passwords with three identical characters in a row really are.
Here's an experiment you could do: Get a list of common passwords (ten thousand most likely ones, for example). Count the number of passwords that contain three identical characters in a sequence. Then calculate how often such a sequence should occur if it was distributed randomly. If there are more passwords with such a sequence than statistics suggest there should be, then people tend to prefer such passwords, which means that it makes sense to forbid such patterns, because password guessers would capitalise on this knowledge and try passwords with these repetitions first, which would greatly reduce the search space.
I haven't done the maths, but I have a very strong gut feeling that the reduction in password entropy is the lesser problem IF the identical-character-pattern is actually common in passwords. I'm too rusty to come up with a mathematically sound answer, but when I was still in school we calculated probabilities of drawing a number of black balls from a sack containing black and white balls, with putting the balls back. I think that would probably be the way to do the maths correctly, and I think that since it's textbook probability, you might get lucky googling for this kind of problem.
For a quick feeling for the number of possibilities you'd remove with the not-three-identical-characters-in-a-row rule, think about what the chances would be to roll same number of eyes with a die three times in a row (the first one doesn't matter, but the following two throws each have a 1/6 chance, so 1/36). If you do the same with a password and assuming it's got 64 unique characters to choose from, you'd end up with a chance of 98.98% NOT to get an identical 3-character-sequence (1-(1/64)^2). However, this isn't correct yet because your password isn't just 3 characters long, it's 10 characters, so you'd have to take that into account. Possibly you have to multiply the chance to hit a three-duplicates-sequence (1/64 * 1/64) by 8 because there's 8 possible positions the sequence can be found in (which would still leave 99.8% of the original entropy)