gjm comments on Entropy isn’t sufficient to measure password strength