Secure password explanation?

Subject: Secure password explanation?
From: "McLauchlan, Kevin" <Kevin -dot- McLauchlan -at- safenet-inc -dot- com>
To: "techwr-l -at- lists -dot- techwr-l -dot- com" <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Mon, 18 Jun 2012 12:04:05 -0400

Certain database apps from a certain big company (no names, but it's initial is O), that I sometimes need to use, set a bunch of rather stringent conditions on new passwords, including a ban on double characters - so no words with double vowels or double consonants, and no repeated digits or punctuation. It's a real pain, given that the apps also force password changes every 60 days.

This is actually more severe than the password best practice that I currently recommend in my customer docs (we're a cryptographic hardware and software company...).

Naturally, I'd like to keep up with the times and with valid security procedures. But I just haven't been able to discover what security advantage is conferred by avoiding double letters, double numbers, or double punctuation. Does anybody know?

When I suggest a practice or restriction, I like to be able to back it up with a quick explanation, so it doesn't look totally arbitrary.
I've drawn a blank trying to imagine what advantage an attacker gains if a (say) 20-character password were to include a pair of identical characters. Yes, it's true that the subset of all words having two identical characters side-by-side is smaller than the set of all words, but there's no way to know that it's a word, and if it is, where it starts or ends within the string. It could as easily be the last character in one random word followed by the first character in another random word. It could be the letters that result from taking the first letter of each word in a phrase. It could be a pair of numbers in a larger number.

For that matter, forcing a no-doubles rule actually shrinks the available string space and makes it non-random. Most crypto apps want greater entropy in seeds and inputs, not less.

A casual query to a security architect garnered a head-scratch and a reply of "You've got me there...".

Someone else - of a cynical mind - suggested that the O requirement was "probably just optics" ... trying to impress the uninformed with a bogus stringency that conveyed no actual advantage in security.



The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.

Create and publish documentation through multiple channels with Doc-To-Help. Choose your authoring formats and get any output you may need.

Try Doc-To-Help, now with MS SharePoint integration, free for 30-days.


You are currently subscribed to TECHWR-L as archive -at- web -dot- techwr-l -dot- com -dot-

To unsubscribe send a blank email to
techwr-l-leave -at- lists -dot- techwr-l -dot- com

Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit for more resources and info.

Looking for articles on Technical Communications? Head over to our online magazine at

Looking for the archived Techwr-l email discussions? Search our public email archives @


Previous by Author: Flare 8.1.1
Next by Author: RE: Secure password explanation?
Previous by Thread: Re: Classic case of SMEese…
Next by Thread: Re: Secure password explanation?

What this post helpful? Share it with friends and colleagues:

Sponsored Ads