A common piece of password advice is to substitute characters, such as numbers or special characters, for letters. For example, password becomes [email protected]$$w0rd. These are sometimes called “leetspeak” passwords, because “elite” hackers originally used such character substitutions.
Unfortunately, leetspeak passwords are far from secure. For years, password cracking applications have been able to recognize most character substitutions, decipher the underlying word, and crack the password.
Here are a few excerpts about how leetspeak and character substitution passwords are weak. Links to the source pages follow each excerpt:
PRTK… runs the dictionaries with common substitutions: "$" for "s," "@" for "a," "1" for "l" and so on. Anything that's "leet speak" is included here, like "3" for "e."WIRED: Secure Passwords Keep You Safer
The problem … is that today’s hackers rarely start with a blank slate. Instead, they begin by searching for English words plus common substitutions, such as $ for S. That makes them very well adapted to breaking exactly the kind of [email protected]$ users tend to createINTHEBLACK: Everything You’ve Been Told About Passwords Is Wrong
So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security.InformationWeek: How to Build Better Passwords
Some password cracking utilities are also smart enough to use common character substitutions for common words. Cracking "[email protected]" may take longer than cracking "password", but it will still be relatively trivial to crack because, special characters or not, the password is still "password".PCWorld: Creating Secure Passwords You Can Remember
Many users choose passwords such as "bogus1!", or "1!bogus" in an attempt to create a memorable, yet harder to crack password, based on dictionary words slightly modified with additional numbers and symbols. Another common password substitutes numbers and symbols for letters, such as 3 for E, or $ for S. These types of passwords pass through many password filters and policies, yet still pose organizational vulnerability because they can easily be cracked. L0phtCrack 6 cracks these passwords in much less time than it takes for a brute force attack.L0phtCrack: Using L0phtCrack 6 [page now offline]
Making a weak password seemingly more random by substituting numbers or symbols for letters (@ for a, 3 for E, ! or 1 for I, say) doesn't help, because those who crack passwords have long since cottoned on to this too.The Economist: Password unprotected
Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.Red Hat: Password Security
Substituting characters is still a good practice for creating strong passwords, but it’s best to start with an entire phrase instead of a single dictionary word, and then insert several other characters throughout the password to make it more pseudo-random.
If website security has you worriedly wringing your hands, get one of our WordPress Maintenance Plans and enjoy some peace of mind. All of our plans include security scans. Rest easy. We’re watching your site.