Comments on: Bad password choices: don't miss the point News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 By: David Harley Sat, 27 Oct 2012 07:51:14 +0000 Hi, Wayne.

Yes, the sort of substitution you suggest does add to the complexity of a password while leaving it comparatively memorable. I wouldn’t discourage it – in some cases a fairly simple strategy is all that’s necessary because an attacker doesn’t get unlimited attempts to try to guess a password. However, where a password is vulnerable to a dictionary attack checking possibilities against an extensive word list, the algorithm used in an attack is likely to take that kind of substitution into account, so it won’t stop an automated attack. (Despite what you see in the movies, most successful attacks are carried out using software: the attacker doesn’t usually sit there guessing at passwords and typing each one in manually, though of course the more common the password, the likelier it is to be guessable without using a password cracking program.)

So while a simple character substitution strategy may slow down a dictionary attack, it won’t necessarily slow it much. For example, using ‘pa$$w0rd’ instead of ‘password’ would probably make no perceptible difference to the speed with which the password was cracked. Using character substitution in combination with other strategies can certainly be more effective though. Choosing a password is a big topic, which is why I didn’t really address it in this particular article, but I have spent quite a lot of time on it elsewhere: for instance, in the paper at It’s important to realize, though, that the complexity of a password is almost irrelevant to the likelihood of its being cracked. Sophisticated password crackers make mincemeat out of authentication mechanisms that rely purely on complexity. :(

By: Wayne Sat, 27 Oct 2012 05:39:40 +0000 David,
I really enjoyed the knowledge that you shared and the advice that you offered in this blog. I do have one question though, how wise is it to insert one (or more) special character(s) into a password?
It would be relatively easy for people of all ages implement this simply by substituting one or more of the following
@ – a
$ – s
|-| – H
I have not read all of your past blogs and you might have covered this, but would it be effective to let people know special character(s) could prevent them from future issues?