When “qwerty11” is a good password … Meet Entropy
In presentations I show an outline of the hashing of “qwerty11”. And so it surprised me that “qwerty11” was seen as a good password from my ISP:
and I have tried to highlight this:
In the end, my ISP admitted on Twitter that ease-of-use trumped security:
But why does this happen? Surely “qwerty11” can never be seen as a good password? The reason is that companies often use simple entropy checkers to measure the amount of change in a password. For a computer “qwerty” has quite a bit of change, but a human can instantly see that the password is derived from the first second line of a keyboard.
With string entropy we measure the amount of change in a string, and which is typically used to…