Leet Speaking Passwords

SMS Text

A friend created a really cool project, where he’s defining words using hex value colors.  It’s called HexNa.me and if you click the link you’ll see an example of leet speak being used to turn #4c3741 to Acetal, which is a colorless, flammable, volatile liquid used in cosmetics.   This made me realize that Leet speak may be becoming a bit more ubiquitus and ready for public consumption.

Leet speak, for those of you who may not know, is using an alternate alphabet to replace typical letters.  Simple examples are @ for A or $ for S.  I could spell my name, Jesse as J3$$3.  The three replaces the E because the 3 has very similar physical properties to the E.

When creating passwords there are so many rules defining what and what not to do, but not too many guides on how to create memorable, secure passwords.

Almost every site that suggests a secure password (financial, data, medical, etc…) gives you a few basic rules.

  • Must contain upper and lower case letters
  • Must have at least 1 number
  • Must have at least 1 character (punctuation marks)
  • Must be at least 8 characters

We can all use password generators to create passwords, and when it comes to passwords that I do not have to remember I suggest this.  For example, when I’m creating a new user in a MySQL database I will generate a very long password that utilizes letters, numbers, punctuation, etc.

When it comes to remembering your bank password a password generator is not going to help.  We should all know by now, to NEVER create passwords based on our kids, dogs, or family members names.  We should also not use addresses, phone numbers, birthdays, etc.  This goes out to a few family members and friends who are still doing this.  STOP!  TODAY! 🙂

Instead, let’s use Leet speak to convert an easy to remember word or phrase into a secure memorable password.

I learned this technique from my Information Security Professor, Tom Calabrese, and I have been using it for many, many years now.

I’m a huge Star Wars (originally released movies – not the prequel crap) fan so, let’s use something from those movies as examples.  For instance, the phrase “May The Force Be With You” is memorable but pretty long.

We can go with “The Force”, which breaks down to

English:                 T H E F O R C E

In leet speak we sub typical English letters with numbers and punctuation marks to create something considerably more complex but still understood and read by humans.

Leet:                      T h 3 f 0 2 ( 3

In this example we subbed the E for 3, O for 0 (zero), R for 2 and C for (.

This example will meet the minimum requirements for most accounts, and once you get used to it Leet Speak will be easy to recall and write.

You can also sub characters for entire words.  For example, we can sub “I hate” for “ih8” or “I love” for “I<3” and then get personal with “ih8h@(K32$”

Eventually you’ll have fun creating these phrases and knowing that you are ensuring the security of your online accounts.

Jesse Friedman
Jesse Friedman is a veteran WordPress developer. In 2012 he wrote the “Web Designers Guide to WordPress“. With years of experience as a speaker and... Read Full Bio
Subscribe to SEJ!
Get our weekly newsletter from SEJ's Founder Loren Baker about the latest news in the industry!
  • iafd.com

    My only concern doing things this way is the ability to be thwarted by dictionary attacks – which is what all the number/character rules are supposed to prevent against.  I would think a strict leet speak password translation is a smidge less secure, since it’s only a matter of time before f 0 2 ( 3 is added to the hash file…

  • Infographics

    There are plenty of cool infographics out there that help show some of the crazy data and passwords that people use. Infographics are a great way to show info like this, because it helps people who are more visually inclined to comprehend the massive amount of data being conveyed. Try an infographic next time!

  • Johnm

    Hmm, not sure how I feel about this.  I think it’s a cool idea but I also feel there are sites where this rule would not always work.  Also, I think that these passwords would eventually be susceptible to hacking attacks.  Thanks for the posting though!

  • Jesse Friedman

    Thanks for the replies @iafd and @c0316f91009288685e9c4fe6e77aa72d:disqus   I guess my point was to provide a solution to help those that continue to use their kids names or birthdays as passwords.  Believe it or not it’s way more common than you think.

    I use leet speak for my password but i create a phrase, usually 12 characters or more.  There are still so many variations of leet speak that in my opinion it is still extremely secure.