Don't use 'leet' passwords

I received an email from Service NSW (part of NSW government) yesterday recommending I update my passwords. As per the picture you can see their suggestion of substituting letters with symbols or numbers that look like them (e.g. $ or 5 for S).

These are called ‘leet’ substitutes and feel better than a straight word for password complexity. For example, fluffycat doesn’t feel like a great password and, you’re right, it’s been found in breached password lists over 6,000 times. You’d think F1uffyc@t would be better but it’s also been breached 13 times - and, when password hacking can try thousands of passwords per second, it only adds about 3 seconds to a targeted attack.

You’re unlikely to create a short password - using common words and leet substitutions - that isn’t in a hacked password list somewhere.

The best things you can do to minimise being password hacked are:

1. Enable multifactor authentication whenever possible

2. Get a password manager - and replace those easy to guess passwords with a random-generated one

3. If you can’t afford a password manager, follow the great xkcd cartoon (Randall Munroe) recommendation of multiple longer words strung together - and do them in random order such as: ‘CatIsFluffyMyCalled’. Oh, don’t use the xkcd CorrectHorseBatteryStaple - it’s been breached 2,000 times and counting!

4. It shouldn’t need to be said, but don’t use the same password across multiple sites - try something clever with different strung words that you’ll still remember

See xkcd: https://xkcd.com/936/

Also see some detail on leet passwords: https://www.netsec.news/why-leet-substitution-has-little-impact-on-password-strength/

P.S. Why am I posting on passwords? - well it's part of one of my roles as a CISO...