Leetspeak passwords – predictable and crackable
(Last updated on January 18, 2021)
Leetspeak is a form of modified English that replaces letters with ASCII characters and numbers. Hackers used leetspeak back in the 1980s to disguise their conversations, but now it’s a part of internet culture. Its widespread use has made it a staple of password creation, as it is a way for users to create easy to remember passwords. This is predominately due to complexity rules requiring the use of numbers and symbols.
Leetspeak = weak passwords
Password complexity rules force users to create unique passwords that utilize the four character types: capital letters, lower case letters, numbers, and symbols. It is all about randomizing the passwords and increasing the entropy. Since a random string of characters may not be so easy to remember, users resort to commonly used words or phrases, with character substitutions to satisfy the complexity requirements. For example, if forced to create a password with all the four character types, users can circumvent security with the following: P4$$w0rd. Obviously, this is very predictable, even though it meets the policy requirements.
These passwords can be easily cracked using any number of available cracking applications but they can also be guessed because of their predictability.
Banning bad behavior & passwords
Password complexity is believed to increase security, but it can also lead users to predictable patterns. As such, securing your organizational data requires passwords that are checked against:
- A compromised password list
- Common character substitutions
- Common keyboard patterns
With Specops Password Policy enabled, users cannot fall into vulnerable patterns. Specops Password Policy enables stronger passwords by ensuring that they are truly unique. Even with character complexity requirements enabled, Specops Password Policy can block leetspeak, keyboard patterns, and even appending old passwords with a number or symbol.