Why Leet Substitution has Little Impact on Password Strength

While some sources advocate substituting letters with symbols to make passwords harder to crack, evidence exists that leet substitution has little impact on password strength. Consequently, businesses are advised to utilize password generation tools to create genuinely random passwords for each account and take advantage of password managers to save them securely.

For those unfamiliar with “leet substitution”, the term is derived from the days before the Internet when computer enthusiasts communicated with each other via bulletin board systems. Some bulletin board systems were exploited for illegal activities, and – in order to prevent this – system hosts used a form of censorship automation to block keywords similar to how web filters now work.

At the time, censorship automation was relatively simple; and, in order to circumnavigate the filters, users would substitute letters with symbols that closely represented them (i.e., “porn” became “p0rn”). The term “leet” arose from users referring to themselves as elite; and, as censorship automation evolved, so did “leetspeak” – although the concept behind it remained the same.

How Leet Substitution Works in Password Creation

There are three levels of leetspeak – basic, advanced (which omits most English characters), and ultimate (which uses radicals to represent English characters – i.e., │_│ for “u”). Most online sites only allow the use of a limited special character set when creating passwords, so the most common form of leet substitution involves substituting @ for “a”, € for “e”, zero for “o”, $ for “s”, and so on.

Being limited to the basic level of substitution doesn’t stop people from being creative. It is often possible to make long, complex passwords or passphrases using allowable ASCII characters – for example “I)0ñ╦ß®@I<€╦00ƒ@$╦” (“DontBrakeTooFast). Unfortunately, many people who use special characters believe they are strengthening their passwords, and this isn’t always the case.

Replacing Letters with Characters is More Common than You May Think

The practice of using leet substitution goes back fifty years and it is still fairly common. A 2016 Study of Mnemonic Sentence-based Password Generation Strategies (PDF) found that, when asked to create a mnemonic sentence-based password (quite well explained in this blog), 3.5% of users created a password that used a special character without being asked to.

Considering that there are more than 15 billion passwords for sale on the dark web, this would imply that leet substitution is a factor in more than 525 million leaked passwords (3.5% of 15 billion). However, some websites enforce the use of special characters when users first create a password, so the percentage of passwords with characters replacing letters is probably much higher.

Why Leet Substitution has Little Impact on Password Strength

The length of time that leet substitution has been around, and the common use of this password creation methodology, implies that replacing letters in passwords with special characters is no big deal. Furthermore, leet converters are freely available on the Internet, and hackers can build these tools into password hacking algorithms when deploying brute force attacks on unsuspecting businesses.

To prove the point that leet substitution has little impact on password strength, we tested out multiple passwords of various complexity on the Bitwarden password strength testing tool. Here’s what we found:

  • The word “password” takes less than a second to crack; and if you replace the “a” with an “@” to create “p@ssword”, it still takes less than a second to crack.
  • Similarly, if you replace “football” with “f00tball”, “starwars” with “$tarwar$”, or “sunshine” with “$un$hine”, a hacker can still get into your account within a second.

It is only when you start using European and math symbols that leet substitution has some impact on password strength – but it’s still not a lot.

  • “b@seball” takes less than a second to crack, but a hacker will take ten minutes with “ßaseball” and “bas€ball”, and 32 minutes with “ß@$€ß@11”.
  • Similarly, “yankee$” won’t trouble a hacker any longer than “p@ssword”, but “µ@ñI<€€$” will give them a three-hour wait before being able to get into your account.

If µ@ñI<€€$ Offers Little Account Protection, What Does?

It’s not the case that leet substitution has no value. Compared to “dontbraketoofast” – which would keep a hacker at bay for 71 years – it would take centuries to hack into an account protected by the password “I)0ñ╦ß®@I<€╦00ƒ@$╦”. However, the length and randomness of a password are more important than the character sets used in terms of password strength.

This is why NIST now recommends the use of passphrases consisting of a minimum of three random words. However, as some people can have more than a hundred online accounts to protect, NIST also recommends the use of a password manager to create genuinely random passwords and passphrases to ensure they are properly secured.

Password managers such as Bitwarden include password generators that enable you to choose between creating passwords and passphrases, and increasing the complexity to the maximum allowed by the account you are creating the password for. The password generator also displays the estimated time it will take to crack the password in case you wish to strengthen it further.

If you want to add an extra layer of security to the account, the opportunity often exists to deploy two-factor authentication (2FA). In this case, it is better to use a 2FA solution that sends you a One Time Passcode via an authentication app rather than SMS or email to avoid man-in-the-middle interceptions.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news