I checked several password policies that establish that 2 or more repetitive characters are not allowed in the password, example: "xxxxx5". But that policy doesn't make sense to me because the password space is reduced, (the xxxxx5 is an extreme insecure password I know, but there are really good passwords that use repetitive characters and increment the password entropy) and I think that this kind of passwords are more easy to crack using a brute force attack (there are less passwords that are needed to check).
Am I missing something?
I'm not a security expert so...
Could anybody explain me if this policy is right or wrong?
Thanks
Disallowing good passwords that happen to have repeated characters, like jjjbtieooygn, does slightly reduce security, since it very slightly reduces the search space (assuming the attacker knows the rules).
But the point of such restrictions is to disallow really poor passwords like jjjkkklllmmm.
An ideal solution would be to reject easily broken passwords -- but judging whether a password is easily broken is an extremely hard problem. It wouldn't be an issue if users could be trusted to use good passwords, but according to this article the three most popular passwords are password, 123456, and 12345678.
Rejecting xxxxx5 is far more likely to catch someone trying to use a really bad password than to inconvenience someone who happened to get xxxxx5 from a high-quality random number generator.