The joy of repetition really is in you

[venta]

The other day, I was trying to sign into my Subway loyalty app. That's Subway the sandwich shop. They've changed their security model, and please would I pick a new password.

I have a generic password that I use for everything I don't really care about. It's a decent enough password (the sort of sites that tell you how strong your choice is usually put it at medium).

Subway rejected it: it had no capital letters. I tried a different one, which was rejected due to having no numbers. Ok, fine. I'll stick a capital in my generic password, and I'll doubtless forget I've done that and have to reset it in the future, but really who cares.

Subway rejected it because it had consecutive repeated characters. Wait, what? Does that rule actually achieve anything other than massively reducing the search space a potential hacker needs to hit?

To be honest, this is my feeling about all the "must have a capital", "must have a numerical digit" rule. It's quite possible to produce a strong password with neither. By enforcing these, you're just making my password very slightly easier to brute force.

Of course, given the general approach to passwords (see Ashley Madison's list of cracked passwords) I appreciate that the rules are there for a reason.

But "no repeated letters"? I don't get it.

Comments

[vicarage.livejournal.com]

I never understand why companies with such petty financial reward systems like Subway think their password systems need to be complex. Surely they realise the difference between defrauding me of £1000's, or a sandwich.

I have a petty password (with variants for annoying companies) which I put in a wiki page (protected by stronger password). Most of it is 32 years old, the end bit only 25 years old

I have a stronger password which is a decade old

I have individual passwords for the real money, written with gaps on a piece of paper on my desk.

[venta.livejournal.com]

If you had my Subway password (and the email address I gave them, which is not my regular address) and could sign into my account you'd get my name, full address and birthday. As well as my free sandwich. So I should be pleased they are taking security seriously.

Back in the days when I used to dash through Reading station on the way to dance practice, I ate at Subway sufficiently frequently that the rewards were actually pretty good value. Nowadays I do it so infrequently it probably isn't worth bothering.

[venta.livejournal.com]

Of course, the strength of my password is borderline irrelevant if (for example) they store it themselves in plaintext.