Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is a Long Password of Repeating Characters Good or Not?

Question: In a recent newsletter, you answered someone’s question about passwords. I didn’t understand your answer. Could you clarify with an outright, direct, plain, clear answer? The person was asking about passwords, an idea he had, and would it just be safer to use repeating letters as passwords? I couldn’t understand if you were saying it was good and safer as it was harder to hack with hacking software or just the opposite. I don’t understand the explanation about how hacking software works and I don’t need to. Just the answer to that question about a series of same letters would be sufficient enough for me to know what would be good to do or not to do.

As direct, plain, and clear as I can be, the answer is no, you should not use a password that is a single repeating character.

In my defense, the answer really isn’t that simple or that easy. It actually does require a little bit of thought. The problem is that it’s a very complex topic. And there aren’t always simple yes-or-no answers.

Become a Patron of Ask Leo! and go ad-free!

Password examples

So let’s say you’ve got a password of 16 repetitions of the letter x. Now that kind of password is great to foil certain types of hacking attacks; for instance, those that simply try all possible combinations of letters and numbers. That’s because the password is long. So “long” is good; longer is always better than shorter.

Now, those 16 repetitions of the letter x are a bad password if you’re attempting to foil other types of hacking attacks, such as attacks that simply start by trying common patterns. Because this is such a very simple, potentially common pattern, it could be very quickly hacked.

Extracting a Password The problem is that we don’t know which approach hackers are using or they’ll use something else entirely. So, the point that I was trying to make and I suspect that I didn’t make clearly was simply this: the best password is both long and complex.

Complexity doesn’t have to be random letters. If your password is long enough, it could be complex by selecting random words that are easy for you to remember but result in  a long password.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

8 comments on “Is a Long Password of Repeating Characters Good or Not?”

  1. I would think (I’m no expert) that no matter what password you have, it depends on how the hacker goes about doing his thing whether or not it is easy. Using a date of birth or loved one’s name might be easy for someone who knows you, but harder for a stranger, Would any hacker for example expect a 3 letter/number password? In most cases the minimum is 4 characters, so can the hackers tell how many characters they should be trying with? Some websites insist on having at least one number or letter in an eight character password for example. This already limits the number of searches a hacker would have to do, as he can rule out all the same character combinations and all the combinations having all letters or all numbers. Unless you have a concerted effort to get the password by a professional hacker, I would think that any password can be hard to crack for someone who doesn’t know it. Of course the hackers reading this are probably laughing at me now, but if you can tell me why I’m wrong I’d appreciate it.

    • Ok so I read the Haystack article and my question has been pretty much answered, so I will be making a change or two to my passwords. Glad to say I was partly (fractionally) right in that the hacker has no idea how long the password is. Can they really search at a trillion guesses a second? How does the website or whatever confirm that fast that they have the correct password? Wouldn’t it fly right by before getting the confirmation. And don’t the websites usually block any access after 3 failed attempts at entering a password?

      • another thought. Won’t hackers be going all out to hack the GRC Password Haystack calculator? Millions of people are probably checking their password there, so it would be a goldmine for password collectors.

        • Actually any good random password generator like that won’t give the hackers any information. The password isn’t “calculated” – you’re simply given a random string to use as your password. It’s SO random that there’s no way to know what you got, or to use the generator in any way that would let them figure it out.

      • The three trillion attempts per second is an example of an off-line attack. This is what happens when a hacker actually sneaks in and steals the database of user accounts and encrypted passwords. (Most large-scale hacks you hear about are exactly this, these days.) They then hack the encrypted passwords and if successful they then come back to the original site and login.

  2. Oops!
    y..password,” then your safe: go ahead and change the passphrase, entering the complete version this time.

    [ Hey, Leo, how about adding “Edit Post” links so we can correct our mistakes?! ]


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.