The consecutive and repeating letter restrictions actually significantly reduce entropy. It's also useless; they're trying to prevent you from just doing 'aaaa111!', but this doesn't stop you from using 'a1a1a1a!'.
Should work. Meets all requirements, only 2 characters in a repeating pattern plus the shift key. When they force you to change and not repeat, just iterate: s2S@s2S@ or a2A@a2A@
Doesn't the entirety of these restrictions decrease entropy? From a brute force perspective, just by having an 8 character minimum means that all under 8 character passwords can be cut out, by having no repeating letters, you can remove those possibilities as well, same thing with all of them. Now instead of having almost infinite possibilities, it's been dropped down to what? A couple hundred million? As long as you know the restrictions, you could write some sort of script using those limitations.
It really just comes down to a trade off between forcing your clientele to have complex passwords, and amount of time it takes to brute force hack it. But it doesn't take into account that the easier ways to obtain a password are using social engineering methods. And if you have a ton of people forgetting their passwords (which will constantly happen) then the weakness is in the forgotten password access features. Honestly, these things are pretty dumb.
46
u/gurenkagurenda Mar 08 '16
The consecutive and repeating letter restrictions actually significantly reduce entropy. It's also useless; they're trying to prevent you from just doing 'aaaa111!', but this doesn't stop you from using 'a1a1a1a!'.