When using Discourse as a private repository of sensitive/confidential information, we care about password security. My question is: is enforcing unique characters in passwords a good practice or bad?
The Internet seems to have a consensus that:
Longer passwords are better, although technically speaking it reduces the search space. However, the trade-off seems to be accepted by most due to the fact that
- humans are lazy, and will use short passwords if allowed to
- the search space reduction is mostly in short passwords which is not significant compared to the entire search space
Passwords combining different character groups are better, although, again, technically speaking it reduces the search space. But again, humans are lazy and won’t use wierd/uppercase if they don’t have to.
A min number (usually at least 5 recommended) of unique characters are better. This is less certain. My question concerns this.
I am thinking that forcing unique characters may actually decrease security because:
Not many people will use strings of the same characters in passwords… for example, they’ll tend to type
Limiting the ability to repeat characters SIGNIFICANTLY reduces the search space. Forgot where I read it, but I read it somewhere that it reduces the search space by more than half.
Any thoughts by security experts on this?