Is 'p4ssw0rd123' a safe password? Leet-speech in passwords explained

This question often makes an appearance when discussing password strength. Not literally this single password chosen as an example, but the common pattern of taking a word (that would otherwise make a weak password) and substituting letters, often vowels with similar looking digits or symbols. Other examples could include 'p@ssw0rd', 'm1ch43l', 'p3t3r' etc. This style of writing originated from old school 80s and 90s h4x0rr BBs, IRC and forums, and it's called leet-speech. But is leet-speech a good method for secure passwords? Let's make it clear:

Leetspeech is not safe by default, but why?

Complicating a long passphrase with a few extra leet characters will definitely increase its security. Also, it wll make the password compatible with most website policies (in case it otherwise lacks numbers or symbols). However, a very weak password is not made strong by just substituting a few letters. Hackers are well aware of these techniques and deploy complex, often personalized wordlists that include variations with letter substitutions just like the ones seen in leetcode. Multiple tools and programs exist that take a list of likely passwords and leetify them for cracking.

When your password is short, leetspeech does absolutely nothing

This is a thing many people forget. Very short passwords do not need wordlists or dictionaries. All possibilities for a 7 character password with letters (lower case and upper case), numbers and symbols, can be exhausted in less than 2 hours with a modern cracking rig. However more you try to complicate it, and however many letters you substitute, the maximum cracking time will remain less than 2 hours. This is unless you lengthen your password. You can check this on our password crack time estimation tool.

What about appending numbers?

Just like with leetspeech, this is contextual. Appending a single '1', or a common pattern like '123' at the end of your password will make it stronger. If, however, your password is otherwise weak, this technique is not saving it. It does, however, have an upside: it makes your password stronger, which exponentially increases its complexity and durability against combinational attacks.

Understanding these techniques

Leetspeech, as well as appending a number, are not bad, but they're amplifications of your password. They make your password stronger but only if your password is already strong enough. They do not make or break a password, and you should not rely on them for security.

What should I do then?

You can check if your password is secure by trying out the password analysis tool provided by passcheck.org (or an alternative tool). It will provide you with a comprehensive explanation about potential weaknesses of your password that you may not be aware of. To quickly create secure passwords, it is recommended to use a standalone password generation tool like the one on this website that uses cryptographically secure generation methods and avoids statistical bias or deterministic results that can be reversed engineered with the seed.

Other articles