[UncleMeat]

> For example, if a rainbow table contains a match for "a" repeating 500 times, then that password's entropy is a non-factor.

But it doesn't. You seem to be taking it as gospel that this sort of password is going to show up in the early in the list of passwords people are trying. But I don't buy it. There is no need to reject a long password that contains some repeated characters.

[Jfreegman]

Why doesn't it? If that password became public knowledge, then it certainly does exist in lists and tables. Its high entropy is only protective as long as it remains secret. This is why it's important to avoid common patterns, even if those patterns are a result of a random number generator.

[UncleMeat]

Every password that becomes public knowledge ends up in credential stuffing lists, whether it matches your password policy or not.

"Common patterns" and "passwords that contain repeated characters" are not even remotely the same thing.

[Jfreegman]

>Every password that becomes public knowledge ends up in credential stuffing lists, whether it matches your password policy or not.

That's right. And we don't want to produce passwords that are likely to be on those lists. A simple policy greatly reduces the chances of that happening. After a certain number of zeros, entropy is no longer a concern.

>"Common patterns" and "passwords that contain repeated characters" are not even remotely the same thing.

I've already addressed this.