> The password quality is just adequate, but I think the idea has potential to be very secure.
The op makes no broad claims. I think your insights are helpful, but I would change your wording from "Congratulations" to "unfortunately" and then politely point out how to resolve the issue.
There is no issue. Length extension requires the full (or as close to full as to make no difference) output of the hash function.
The problem with hash functions like SHA1,2 and MD5 is that their output represents their entire internal state.
In this case let's say an attacker recovered the password for door 1. They can then compute what the passwords associated with Door's whose number starts with 1.
As the password is substantially truncated, this does not represent the final state of the hash, and the attack is not useful.
That aside, this still suffers from weak key derivation, allowing a more direct bruteforce attack, as others have mentioned.
The op makes no broad claims. I think your insights are helpful, but I would change your wording from "Congratulations" to "unfortunately" and then politely point out how to resolve the issue.