When “qwerty11” is a good password … Meet Entropy

In presentations I show an outline of the hashing of “qwerty11”. And so it surprised me that “qwerty11” was seen as a good password from my ISP:

and I have tried to highlight this:

In the end, my ISP admitted on Twitter that ease-of-use trumped security:

But why does this happen? Surely “qwerty11” can never be seen as a good password? The reason is that companies often use simple entropy checkers to measure the amount of change in a password. For a computer “qwerty” has quite a bit of change, but a human can instantly see that the password is derived from the first second line of a keyboard.

With string entropy we measure the amount of change in a string, and which is typically used to…