All the cool kids are doing it.
Using leetspeak to chat online. Using leetspeak in multiplayer games. Even using leetspeak in passwords.
And you know when the cool kids do something, there’s got to be a reason, right? Or maybe not.
What we do know is leetspeak is a fairly common way to create “complex” passwords. When businesses require password complexity for access to their accounts and data systems, leetspeak inevitably sneaks in. But how do you know if leetspeak passwords are safe to use? Do they actually provide more protection than common dictionary words or a string of random characters? If not, is there any reason to prevent leetspeak use in your system passwords?
To answer these questions, let’s start with the basics. What it is, where it comes from, and why it’s still in use. Then, we can talk about the psychology behind leetspeak and how hackers may or may not be able to use it to their advantage.
What is leetspeak?
Pwn. N00b. P@55w0rd. 1|_0\/3Y0u.
Leetspeak is something many people know about but aren’t necessarily well-versed in. At the most basic level, leetspeak replaces vowels in a word with numbers that look like the letter. What likely began as a way to defeat text filters in bulletin board systems (BBS) of the 1980s has evolved into a full-blown system of modification for spelling words with special characters, ranging from simple to advanced. Everyone who’s ever been online has seen some version of leetspeak. It’s become a semi-ironic way to create user names in online gaming, and it’s made its way into the cultural zeitgeist in the form of popular slang words like “woot.” It’s used in film and television, usually to denote gaming culture or a hacker villain. Ready Player One, Numb3rs, and Mr. Robot come to mind as examples, among many others.
Leetspeak makes its way into our passwords because many people view it as a clever way to obfuscate common words and phrases. For example, a password “mydogrex” becomes “MYd09r3X” in basic leetspeak. A more advanced form of leetspeak could turn this password into “|v|`/d09r3><” as almost every letter is replaced with a symbol or a combination of symbols. From a user’s perspective, it’s much easier to remember a simple password with a few straightforward substitutions than to remember a new password that fulfills complexity rules every time they’re forced to change it.
How leetspeak leaves businesses vulnerable to attack
Cracking dictionaries are full of common passwords. When bad actors get their hands on these giant databases full of pre-cracked passwords from past data breaches, standard terminology, and dictionary words they use them to infiltrate business systems and wreak all sorts of havoc. In fact, 99% of organizations can attribute password breaches to negative, business-impacting consequences.
What does this have to do with leetspeak? Well, if common words and phrases are in cracking dictionaries, how difficult do you think it is for hackers to translate them into leetspeak? Despite what many might think, leetspeak usage in passwords doesn’t make them any stronger. When users create a common password and replace the “o” with a “0” and an “i” with an “!” the password looks exactly the same to an attacker.
Unfortunately, because people believe it makes their passwords stronger, they may end up thinking a weak password is a strong one. It all comes back to arbitrary password complexity rules. Here at Enzoic, we beat this drum a lot. But that’s because it’s so important, and few organizations are taking steps to eliminate this vulnerability from their systems. The fact is these complexity requirements do not make passwords any less crackable. It makes them more crackable.
You can use 1337speak, but you’re not fooling anyone
There is a fantastic xkcd comic, 936: Password Strength, that sums up the issue quite nicely. We make users choose passwords based on algorithmic strength rather than actual NIST guidelines. This leads users to depend on things like leetspeak to create passwords to fit “password strength” rules that they can actually remember. Then, a cyber attacker uses a cracking dictionary or tool like John the Ripper to reverse the character substitution and – that’s it – your system is breached.
42% of users say that having a password that’s easy to remember is more important than having one that is very secure. Password reuse is so common because 60% of users are afraid of forgetting their login information. Using leetspeak in passwords isn’t the problem. It’s a symptom of a flawed system. One easy solution is to screen your critical data systems for common and compromised passwords. Tools that provide continuous password protection, like Enzoic for Active Directory, can reverse out the L33T character substitutions and evaluate what’s left. If what remains is not a compromised password, it’s safe to use. No need to ban leetspeak altogether – just don’t assume it magically transforms passwords into uncrackable safeguards.