First, you have to realize that Entrust uses something they call an Entrust Profile, which is a file that contains some plaintext data and some encrypted data. In order to use a cryptographic key pair for encrypting or decrypting a symmetric key (which is randomly generated using strictly governed algorithms certified by the government), you have to decrypt the private (or secret) part of the public key pair (also generated in a similar random fashion).

The interesting and relevant part of the process (to this blog post anyway) is that the password you choose is hashed something like 10,000 times, every time it is used to decrypt the profile to access the private key. It makes for a pretty good random distribution of bits witin a fixed hash size. Certainly, not all products go to this extreme to ensure that passwords are not subject to attack due to the problem you describe above.

Entrust does enforce strong passwords with a configurable policy; with more settings than you’ll probably ever need (eg. percent of password that can be repeated in substrings, etc.).

I don’t know if that adds value or not, but at least some of us care!