When “qwerty11” is a good password … Meet Entropy

In presentations I show an outline of the hashing of “qwerty11”. And so it surprised me that “qwerty11” was seen as a good password from…

When “qwerty11” is a good password … Meet Entropy

In presentations I show an outline of the hashing of “qwerty11”. And so it surprised me that “qwerty11” was seen as a good password from my ISP:

and I have tried to highlight this:

In the end, my ISP admitted on Twitter that ease-of-use trumped security:

But why does this happen? Surely “qwerty11” can never be seen as a good password? The reason is that companies often use simple entropy checkers to measure the amount of change in a password. For a computer “qwerty” has quite a bit of change, but a human can instantly see that the password is derived from the first second line of a keyboard.

With string entropy we measure the amount of change in a string, and which is typically used to measure password strength. The following gives some measures:

1111111             23  Try
qwerty1             36  
zzhg632             36
abcdefgh            38
qwerty11            41  Try
k5DfGhqw            48
azazazaz            48
qwerty123           47
hqxwazp19           47
hqxwazp195g2dfa     78
hqxwaz91xp195g2dfa  93  Try
hAqxwaZ91xp195g2dfa 113 Try

The surprising thing here is that “qwerty1” gets the same score as “zzhg632”. Many online systems use a measure of entropy for their assessment of the password. Some sample code to gain a score is:

var entropy = require('string-entropy');

mystr="test";

console.log("String:\t\t",mystr);

res=entropy(mystr)

console.log("Entropy:\t",res);

if (res<25) console.log("Poor password");
else if (res<50) console.log("Weak password");
else if (res<75) console.log("Reasonable password");
else if (res<100) console.log("Very good password");
else  console.log("Excellent password");

Now we see the problem, in that the entropy checker doesn’t actually check if the word is in a dictionary, and which would considerably weaken the password.

Another area we can use entropy is in domain name checker. Typically a bot will create randomised name within a fake site (eg 89z0209uC4.com). If we try “89z0209uC4.com” [here] we get a score of 89, while “google.com” gets a score of 50. In this way we can apply a threshold for domain names, so that we could check domains which had a relatively high score. If you are interested in this, here is a recently research paper we published here.