A common piece of password advice is to substitute characters, such as numbers or special characters, for letters. For example, password becomes [email protected]$$w0rd. These are sometimes called “leetspeak” passwords, because “elite” hackers originally used such character substitutions.
Unfortunately, leetspeak passwords are far from secure. For years, password cracking applications have been able to recognize most character substitutions, decipher the underlying word, and crack the password.
Here are a few excerpts about how leetspeak and character substitution passwords are weak. Links to the source pages follow each excerpt:
PRTK… runs the dictionaries with common substitutions: “$” for “s,” “@” for “a,” “1” for “l” and so on. Anything that’s “leet speak” is included here, like “3” for “e.”
So-called “elite” or “l33t” speak was once a useful way of increasing a password’s complexity, but the rules of “l33t” substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security.
Some password cracking utilities are also smart enough to use common character substitutions for common words. Cracking “[email protected]” may take longer than cracking “password”, but it will still be relatively trivial to crack because, special characters or not, the password is still “password”.
Many users choose passwords such as “bogus1!”, or “1!bogus” in an attempt to create a memorable, yet harder to crack password, based on dictionary words slightly modified with additional numbers and symbols. Another common password substitutes numbers and symbols for letters, such as 3 for E, or $ for S. These types of passwords pass through many password filters and policies, yet still pose organizational vulnerability because they can easily be cracked. L0phtCrack 6 cracks these passwords in much less time than it takes for a brute force attack.
L0phtCrack: Using L0phtCrack 6 [page now offline]
Making a weak password seemingly more random by substituting numbers or symbols for letters (@ for a, 3 for E, ! or 1 for I, say) doesn’t help, because those who crack passwords have long since cottoned on to this too.
Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.
Substituting characters is still a good practice for creating strong passwords, but it’s best to start with an entire phrase instead of a single dictionary word, and then insert several other characters throughout the password to make it more pseudo-random.
Interested in Internet Security?
If you’re interested in Internet security, check out the educational resource Defending Digital!
Leave WordPress Security to the Experts
If website security has you worriedly wringing your hands, get one of our WordPress Maintenance Plans and enjoy some peace of mind. All of our plans include security scans. Rest easy. We’re watching your site.