Can a password have more than 3 of the same type of character in a row?

845    Asked by Amitraj in Cyber Security , Asked on Apr 13, 2022

OWASP recommends this practice and so do some other companies. I think it makes sense at first glance but if you think about it, it actually limits entropy instead of increasing it. How many combinations would be reduced with this rule? I calculated their minimum entropy (10 characters, all 4 types) to be 3e19. Not having characters would limit it quite a bit I would imagine. I don't know how much but I would bet there would be a lot using the birthday paradox as guidance. 


What's the benefit? Is there a gain elsewhere, perhaps in the password cracking methodology? As far as I can tell, there isn't much there that I can think of. Can anyone explain why it's benefits outweigh the negatives or perhaps maybe it is just a bad rule and why OWASP and others think like this.

Answered by Alison Kelly

You asked - Can a password have more than 3 of the same type of character in a row, the answer is yes. While it's true that the rule limits overall entropy, I think the real question you should ask is how common passwords with three identical characters in a row really are.


Here's an experiment you could do: Get a list of common passwords (ten thousand most likely ones, for example). Count the number of passwords that contain three identical characters in a sequence. Then calculate how often such a sequence should occur if it was distributed randomly. If there are more passwords with such a sequence than statistics suggest there should be, then people tend to prefer such passwords, which means that it makes sense to forbid such patterns, because password guessers would capitalise on this knowledge and try passwords with these repetitions first, which would greatly reduce the search space.

I haven't done the maths, but I have a very strong gut feeling that the reduction in password entropy is the lesser problem IF the identical-character-pattern is actually common in passwords. I'm too rusty to come up with a mathematically sound answer, but when I was still in school we calculated probabilities of drawing a number of black balls from a sack containing black and white balls, with putting the balls back. I think that would probably be the way to do the maths correctly, and I think that since it's textbook probability, you might get lucky googling for this kind of problem.

For a quick feeling for the number of possibilities you'd remove with the not-three-identical-characters-in-a-row rule, think about what the chances would be to roll same number of eyes with a die three times in a row (the first one doesn't matter, but the following two throws each have a 1/6 chance, so 1/36). If you do the same with a password and assuming it's got 64 unique characters to choose from, you'd end up with a chance of 98.98% NOT to get an identical 3-character-sequence (1-(1/64)^2). However, this isn't correct yet because your password isn't just 3 characters long, it's 10 characters, so you'd have to take that into account. Possibly you have to multiply the chance to hit a three-duplicates-sequence (1/64 * 1/64) by 8 because there's 8 possible positions the sequence can be found in (which would still leave 99.8% of the original entropy)



Your Answer

Answer (1)

If you're receiving emails or messages from a site like Adultsexmeet and you didn't sign up for it, there are several possible reasons and steps you can take to address the issue:

Possible Reasons

Spam or Phishing Attempt:

The emails might be spam or phishing attempts. Scammers often send unsolicited emails to a large number of people, hoping to get some recipients to click on malicious links or provide personal information.

Mistaken Identity:

Someone might have mistakenly entered your email address when signing up for the service.

Data Leak:

Your email address might have been obtained from a data leak or breach from another service where you used the same email.

Steps to Take

Do Not Click on Any Links:

Avoid clicking on any links or downloading any attachments from the emails. They could lead to malicious websites or install malware on your device.

Mark as Spam:

Mark the emails as spam in your email client. This will help your email provider filter similar messages in the future.

Unsubscribe:

If there is an option to unsubscribe, you can use it. However, be cautious as sometimes clicking unsubscribe in a spam email can confirm to the sender that your email address is active.

Check for Data Breaches:

Use a service like Have I Been Pwned to check if your email address has been part of any known data breaches.

Update Email Filters:

Set up email filters to automatically delete or move these unwanted emails to the spam folder.

Report the Email:

Report the email to your email provider. Most email services have options to report phishing or spam emails.

Secure Your Email Account:

Change your email password and ensure it is strong and unique.

Enable two-factor authentication (2FA) for an added layer of security.

Contact the Website:

If the emails continue, you can try to contact the website's support team to request the removal of your email from their list.

Example Steps for Gmail Users

Mark as Spam:

Open the email.

Click on the three vertical dots (More) in the top right corner.

Select "Report spam."

Unsubscribe:


If there’s an unsubscribe link that looks legitimate (not suspicious), click it to stop receiving emails.

Create a Filter:


Open Gmail.

In the search bar at the top, click on the down arrow.

Enter the sender’s email address.

  Click "Create filter."Choose what you want the filter to do, such as "Delete it" or "Mark as spam."Click "Create filter."

By following these steps, you can reduce the likelihood of receiving unwanted emails from Adultsexmeet or similar sources. If you continue to experience issues, you may also consider reaching out to your email provider for further assistance.

Can A Password Have More Than 3 Of The Same Type Of Character In A Row?

ChatGPT

The allowance of more than three of the same type of character in a row in a password depends on the specific password policy of the system or service you're dealing with. Different systems enforce different rules regarding password complexity to ensure security. Here are some common considerations:

Typical Password Policy Requirements

Length Requirements:

Minimum and maximum length (e.g., 8-64 characters).

Character Type Requirements:

Must include a mix of character types: uppercase letters, lowercase letters, numbers, and special characters.

Repetition Limits:

Some systems might restrict the repetition of the same character consecutively (e.g., no more than three identical characters in a row).

Prohibited Patterns:

  Disallowing easily guessable patterns (e.g., "1234", "aaaa").

Previous Passwords:

Restrictions on reusing previous passwords.

Example Password Policies

Microsoft:

Typically, they require a combination of uppercase letters, lowercase letters, numbers, and special characters.

They do not generally specify limits on the repetition of characters.

Google:

Requires a strong password with a mix of characters.

They focus more on overall complexity rather than specific repetition rules.

Custom Corporate Policies:

Many companies implement specific rules based on their security requirements, which might include limits on repeating characters.

How to Check Password Policies

Documentation:

Check the official documentation or help section of the service or system for password requirements.

Password Creation/Change Interface:

When creating or changing a password, many systems provide real-time feedback on whether your password meets the requirements.

Contact Support:

If you’re unsure, contacting the support team of the service can provide clarification on their password policies.

General Recommendations for Strong Passwords

Length:

Aim for at least 12 characters.

Variety:

Use a mix of uppercase and lowercase letters, numbers, and special characters.

Avoid Common Patterns:

Avoid using easily guessable patterns or repeated sequences.

Use a Password Manager:

Consider using a password manager to generate and store complex passwords.

Example of a Strong Password:

  3x!C@tR#7bD!fL$p

This password includes:

16 characters

A mix of uppercase letters, lowercase letters, numbers, and special characters

No obvious repetition of characters or patterns

If you're implementing or checking against a specific password policy, make sure to test your passwords within the actual system to ensure compliance.








4 Months

Interviews

Parent Categories