Hacker News new | past | comments | ask | show | jobs | submit login

"not more than 2 identical characters in a row"? WTF? Stop with this nonsense.

This is OT, but there's an interesting snippet in "The Secret Life of Bletchley Park" [1] about decoding Enigma messages used by the Italian Navy in the Med.

One of the female operators had a set of messages from one Italian operator who sent a message once a week on a regular basis. They had determined that the first letter was an 'L'. She looked at the keyboard, saw that 'L' was neatly placed under the right hand and guessed that he was sending a test message consisting of nothing but 'L's tapped out in quick succession. Voila! She hit the jackpot.

From this insight, all dial wirings and movements of the Italian machines could be quickly deduced.

So, repetitive plain text can be a security issue.

[1] http://www.amazon.com/The-Secret-Life-Bletchley-Park/dp/1845...




That's a vulnerability for cyphers and has no application to modern password systems. If a password were all Ls up to the minimum then certainly that would be a bad idea, but having two Ls in a row because your password happens to contain or be a derivative of a word that has two Ls has no bearing on how secure the password is.

    sha256(LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL+mysalt) = 57c70b4fddd06c94c9a7b41d9884591bb1d487fb78df723b11bc4892e879f46e
    sha256(LRpSdU$EnD1ZrJJ2QyVHPycN*DZtrHm&YdH%%28f4ih+mysalt) = 29cd0708db0fb7350e17349012a6e728b357ef733e85f401fc757e6565ef5e80
Neither of those hashes would give an attacker the slightest bit of insight into the user's password even if the attacker suspected the first letter of each were an L.


> having two Ls in a row ... has no bearing on how secure the password is.

At least some password cracking programs are built to anticipate human tendencies, which I would guess includes repeating characters. If I were designing a password cracker, I would target human-created passwords and not random passwords. For example, I would have the program guess 123456 before it guesses R%Vg9~\


The other complexity rules rule that out, though.

If I have a password 10 characters long with at least one uppercase, one lowercase, 1 digit, and 1 special character then having one of those repeated won't make it any less secure. Rigidly enforcing that rule doesn't make sense, it's saying that "R%Vg9~\LL" is less secure than "R%Vg9~\".


Sure, but in analyzing a password for acceptable entropy, one should be smart enough to dilineate between:

LLLLLLLLLL

and

8x~3uLLx&#@_o

But most people who write password analysis are doing some really quick and dirty checks like [name/email not in password], [password exceeds X chars], [password contains at least 1 of these chars], etc. If you're going to introduce some other check, it should have the nuance to provide some allowances. I've had my auto-generated, 20-char digit/char/symbol PW from keepass get rejected for such things.


> I've had my auto-generated, 20-char digit/char/symbol PW from keepass get rejected for such things.

Huge pet peeve of mine. Really? "(uJgP6h9=8Uc6x?}#B6Q" isn't enough for you?


> Really? "(uJgP6h9=8Uc6x?}#B6Q" isn't enough for you?

Not after you've posted it on HN. That's only half joking...the biggest vulnerability in any password system is the humans involved. Security advisors should design around the natural behavior of their users, not try to force users into acting unnaturally. Otherwise, users will figure out how to introduce vulnerabilities that get around the constraints imposed upon them (the oft-cited writing passwords down).


Memo: ATTN All Employees

The password "(uJgP6h9=8Uc6x?}#B6Q" (no quotation marks) has been scientifically determined to be the most complex password. Please make sure to change every password to this new password within 24 hours.

Signed, The Mgt.


Obviously not, there is not e that could be replaced with a 3.


> One of the female operators had a set of messages from one Italian operator who sent a message once a week on a regular basis.

That was the most important mistake from the Italian operator.

> So, repetitive plain text can be a security issue.

The only thing that should be discouraged is that a password should contain only one repeated character, which is probably part of many dictionaries. Any variant (LLLLLLLLLLM) would pretty secure, the longer the better.


That doesn't mean constraints like 'no repeated characters' is a good idea. It gives the attacker significantly more information about the plaintext if they know they can rule out all strings with duplicated characters.


And isn't mmmdG0tKtN#mmmmmmmmmmmmm more secure than dG0tKtN#mm?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: