Passwords with Simple Character Substitution Are Weak