I'm not that hip on the L33t language beyond what I've read on Wikipedia.
I do need to add a dictionary check to our password-strength-validation tool, and since leet-speak only adds trivial overhead to the password cracking process, I'd like to de-leet-ify the input before checking it against the dictionary.
To clarify the reasoning behind this: When required to add symbols to their passwords many users will simply do some very predictable leet substitution on a common word to meet the number and symbol inclusion requirement. Because it is so predictable, this adds very little actual complexity to the password over just using the original dictionary word. \Edit
Not knowing all the rules, especially the multi-character substitutions like "//" for "W", and being certain this is a problem that has been addressed many times including certainly by open source projects.
I'm looking for code samples, but haven't found any so-far. If it is C# code that would be a bonus!, but code in any common language will help.
Also, it would be nice to have an extensible approach, as I understand this dialect evolves quickly. It would be nice to be able to add-in some rules in a year as those evolve.
And no, this is not the basis for my entire password strength check. This is only the part I am asking for help on in this post. So we are not distracted by other elements of password and security concerns, let me describe the password concerns that don't have to do with leet-speak:
We measure the bits of entropy in the password per NIST special publication 800-63, and require a policy-configurable equivalent measure (56 bits for example) for the password to be valid. This still leaves room for dictionary words that have been simply leet-ed and from an entropy perspective aren't a whole lot better plain dictionary words.
I would simply like to tell users that "P@s5w0rd" is too close a dictionary word, and they could probably find a stronger password.
I know there is a lot more to security considerations like the balance between passwords that humans can remember, and passwords that are secure. This isn't that question.
All I'm asking about is converting l33t to plaintext which should be nearly as fun and interesting of a topic as code golf. Has anyone seen any code samples?
Users with elite status on BBSs had the widest access to the system and usually had to be the best hackers in order to achieve that level of access—hence 1337 as slang for “skilled,” in contrast to n00b, or newbie. Elite was modified to leet, then written with numbers as 1337 (1 for L, 3 for E, and 7 for T).
Its use today is largely ironic. Leetspeak is especially popular for personalizing online nicknames in forums or multiplayer online games. Various forms of leetspeak have emerged over the years.
l337 (leet) is an online language originally used among hackers to prevent their sites and groups from being discovered via keyword search. It comes from the word "elite"—as in, those who knew leet speak were an elite group of hackers and, eventually, skilled video gamers.
Leet speak, also known as hackspeak or simply leet, is the substitution of a word's letters with numbers or special characters. "Leet" is derived from the word "elite," which refers to the hackers who originally turned leet speak into a sort of cult language in the 1980s.
I must say I think this is a bad idea... If you want them to be strong, come up with better requirements.. must be at least 8 characters, contain upper AND lowercase letters, contain at least one number, and at least one special character. Implement a maximum authorization failure counter before disabling an account. Once that's done, what are you worried about?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With