password-manager-resources icon indicating copy to clipboard operation
password-manager-resources copied to clipboard
verified publisher icon apple

Password rules language doesn’t allow us to express requirement that password not contain the same character twice

Open Cldfire opened this issue 5 years ago • 2 comments

Spotted at https://www.netteller.com/login2008/Authentication/Views/Login.aspx (to get to the same page, go to https://www.sagaftrafcu.org/, click "Login", enter any username, click "Forgot Password" on the subsequent page).

Screen Shot 2020-11-30 at 11 55 07 AM

Note the requirement:

Cannot repeat the same character more than twice (e.g. “ACTORAFTR” or “SAG111”)

The password rules language provides no way to express this requirement. We can currently place a restriction on the max number of consecutive characters (via the max-consecutive keyword), but not the max number of the same character overall.

Cldfire avatar Nov 30 '20 16:11 Cldfire

What an interesting requirement! I don’t think it would be hard to devise a way to express this in the rules language, but I think we might want to first refresh the standards proposal.

rmondello avatar Nov 30 '20 21:11 rmondello

Note that https://myaccountviewonline.com also has this requirement on their signup form. myaccountviewonline signup password requirements

While the text says it is about 3 characters in a row, in practice they are just checking for more than 3 of the same character anywhere in the password.

jessieberlin avatar Apr 10 '21 18:04 jessieberlin