Passwords with Simple Character Substitution are Weak

A common piece of password advice is to substitute characters, such as numbers or special characters, for letters. For example, password becomes [email protected]$$w0rd. These are sometimes called “leetspeak” passwords, because “elite” hackers originally used such character substitutions.

Unfortunately, leetspeak passwords are far from secure. For years, password cracking applications have been able to recognize most character substitutions, decipher the underlying word, and crack the password.

Here are a few excerpts about how leetspeak and character substitution passwords are weak. Links to the source pages follow each excerpt:

PRTK… runs the dictionaries with common substitutions: "$" for "s," "@" for "a," "1" for "l" and so on. Anything that's "leet speak" is included here, like "3" for "e."

WIRED: Secure Passwords Keep You Safer

The problem … is that today’s hackers rarely start with a blank slate. Instead, they begin by searching for English words plus common substitutions, such as $ for S. That makes them very well adapted to breaking exactly the kind of [email protected]$ users tend to create

INTHEBLACK: Everything You’ve Been Told About Passwords Is Wrong

So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security.

InformationWeek: How to Build Better Passwords

Some password cracking utilities are also smart enough to use common character substitutions for common words. Cracking "[email protected]" may take longer than cracking "password", but it will still be relatively trivial to crack because, special characters or not, the password is still "password".

PCWorld: Creating Secure Passwords You Can Remember

Many users choose passwords such as "bogus1!", or "1!bogus" in an attempt to create a memorable, yet harder to crack password, based on dictionary words slightly modified with additional numbers and symbols. Another common password substitutes numbers and symbols for letters, such as 3 for E, or $ for S. These types of passwords pass through many password filters and policies, yet still pose organizational vulnerability because they can easily be cracked. L0phtCrack 6 cracks these passwords in much less time than it takes for a brute force attack.

L0phtCrack: Using L0phtCrack 6 [page now offline]

Making a weak password seemingly more random by substituting numbers or symbols for letters (@ for a, 3 for E, ! or 1 for I, say) doesn't help, because those who crack passwords have long since cottoned on to this too.

The Economist: Password unprotected

Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.

Red Hat: Password Security

Substituting characters is still a good practice for creating strong passwords, but it’s best to start with an entire phrase instead of a single dictionary word, and then insert several other characters throughout the password to make it more pseudo-random.

Leave WordPress Security to the Experts

If website security has you worriedly wringing your hands, get one of our WordPress Maintenance Plans and enjoy some peace of mind. All of our plans include security scans. Rest easy. We’re watching your site.

Filed Under: 
Tagged With: 

Want tips to rocket-boost your website?

Simply sign up.

5 comments on “Passwords with Simple Character Substitution are Weak”

  1. All good information:Thanks. I was guilty of thinking simple words with character substitutions would be highly secure.

  2. The days of remembering multiple passwords are over. Use a secure password manager and have it generate pseudo-random passwords for you (with you supplying random data for a seed).

  3. Great write-up, thank you very much for putting this together. Any chance of updating it with some of the most recent developments in password cracking and password managers (ie. multiple breaches LastPass had)?

    1. You're welcome, Alex. Unfortunately, I don't plan to update this post, or write new ones about password security in the foreseeable future. Although the topic of password security is loosely connected to the WordPress web design and development services we offer, it's not closely related enough to justify spending time posting about the topic. We'll leave that to security experts to cover. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Ready to Blast Off?

Let's talk.

Contact OptimWise