More criteria for creating strong passwords

One of the websites I have an account at has a new password requirement I haven’t seen before. It may not contain the same character more than 4 times in the password. I typically generate 128 character passwords, and I verified all 4 passwords i generated had a character repeated throughout the password 4 or more times. I ended up dropping the password to 40 characters, and the generated password also contained the letter y 4 times, and the site did not accept it. I generated another 40 character password, and this time there were not characters present 4 times, and the system accepted it. Would it be possible for you to add additional parameters when generating passwords. For your reference, the password requirements of the site are as follows: One number
Two letters
8 characters minimum
Don’t repeat a character three consecutive times
Don’t repeat a character four times total

There appear to be several password generation requests. It may be worth considering consolidating them into the existing request, as otherwise, the chances of implementation are likely to be slim. Even requests with a high number of votes do not always get implemented, so the best chance is to find someone to assist with the implementation.

This particular request, which has received many votes, may contain some or all of the features you require. You can find it here:

1 Like

May I ask, why 128 characters, or even 40 characters?

@danmullen 128 characters in a password is definitely overkill, but there are some scenarios in which more than 40 characters* may be a rational choice:

  • If your password is generated entirely from lowercase letters a-z, you would need 55 characters to match the entropy of a 256-bit key.

  • If your password is generated entirely from numbers 0-9, you would need 78 characters to match the entropy of a 256-bit key.

  • If your password is generated entirely from the set of 8 special characters allowed in the Bitwarden password generator, you would need 86 characters to match the entropy of a 256-bit key.

*Actually, using the full set of 70 characters available in the Bitwarden password generator, 42 characters would be required to reach 256 bits of entropy; with 40 characters, the password “only” has 245 bits of entropy.

I think the law of diminishing returns applies here… it’s just making it more difficult to satisfy the website’s requirements whilst not really providing more security.

I agree — I was just being pedantic in my response above. In practice, anything beyond 25 characters is unnecessary, and 12 characters should be sufficient if sufficiently varied. This will produce 75 bits of entropy, which requires thousands of GPU-years to crack, even if MD5-hashed.

1 Like