View Single Post
Old 21 January 2014, 07:42 AM
Richard W's Avatar
Richard W Richard W is offline
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 26,441

Originally Posted by GenYus234 View Post
And no more than two of the same characters together. IE, bb is okay, but not bbb.
I hate these restrictions. One of our systems at work has a restriction that you can't have more than three of the same character altogether - so "Mississippi" would be out because it's got 4 "s"s. (I'm not saying Mississippi in that form is a good password - it's an example). Of course, the longer your password the more likely it is to have repeated characters. I thought of a nice long memorable phrase which probably wouldn't have shown up in easy-to-guess-by-brute-force lists, and had to reject it because it happened to contain 5 "t"s. So I ended up shortening it to something significantly less secure.

I mentioned my bank in another thread, which only allows alphanumeric characters (no ^&*$% etc) - which is even worse in a sense, since there doesn't even seem to be a vague reason behind that one. I assume they're worried that one of their systems won't handle it, or that their input sanitizer will strip some of them (although if you can use the password field for an injection attack then there's something else wrong - they shouldn't be putting the passwords in the database in plain text in the first place! - and I doubt they are) or something.

Having restrictions to force you to use a minimum length and a certain variety of different types of character is one thing, but having restrictions that force you NOT to use certain patterns is something else... Another of our systems takes a 4-digit PIN that you have to change every so often, and that has an arbitrary list of "obvious combinations" that it rejects! It's a bloody 4-digit number in the first place!

Last edited by Richard W; 21 January 2014 at 07:47 AM.
Reply With Quote