This article uses an outdated scheme for password entropy/strength originally published in the early 2000s by NIST. The scheme they use can be found at [1]. NIST has since dropped their recommendation for how to calculate the entropy of a password as it turned out that it was basically bunk and provided no actual security.<p>It was understandable at the time to come up with some system to evaluate password strength and the original scheme made what I guess could be sensible assumptions about the distribution of human generated passwords, but an actual empirical analysis of their scheme conducted on 32 million passwords demonstrated that it was basically worthless and consequently NIST has dropped their entropy calculating guidelines [2].<p>[1] <a href="https://cubicspot.blogspot.com/2011/11/how-to-calculate-password-strength.html" rel="nofollow">https://cubicspot.blogspot.com/2011/11/how-to-calculate-pass...</a><p>[2] <a href="https://834e27ae-a-62cb3a1a-s-sites.googlegroups.com/site/reusablesec/Home/presentations-and-papers/CCS_Password_Metric_Measurement.pdf?attachauth=ANoY7cp7NpL5rcMYxPMxniQoXGCYYVI-DpKI52S3b1xi0zvpHoR1zhCoyeet_h89DVelrW5QKc_K37HcZCz6NcSZaaiHzFWRnaaweNy6y5vhXltWodStI_oVTMCZB6vJuXd3efHpaK14qpAu7BU15TZ_LZ_UC5_-cuehEgeDEmH_-UEZR--3j7r2ZVMDm-q0L-SX-IxK0g8hhdiCNUr10gJeSizOviXGZ76vFPH1lp9K-_5zMd4f9HvsW3cNyZDX--IbvsBTEtepQ7R5ARa-91QByRhQlP7uDA%3D%3D&attredirects=0" rel="nofollow">https://834e27ae-a-62cb3a1a-s-sites.googlegroups.com/site/re...</a>
> Password: mikemikemikemikem<p>> This password has similar entropy to the above password but would fail most common password requirements.<p>Citation needed. I suspect that repeating the password 2-5 times is fairly common and would expect password crackers to try passwords like this.<p>This is the problem of entropy for passwords, it depends on your distribution in complex ways. For passwords "buxeisee" has way more entropy than "pineapple" even though they appear to draw from the same symbol set and latter is longer. "pineapplepineapple" is much better than just "pineapple" but much worse than the random 8 letters and probably still worse than "pineapplepear".