Well, but in the example passphrase you chose above (and adding 4 for and 5 for s), there are 20 potentially leet chars. To specify each one as being either normal or leetified would add 20 bits of entropy. If you assume the biggest threat against a complex passphrase like that is an advanced dictionary-based attack (combining multiple words and then testing leet-ified and number pre/post-fixed variations), then we just multiplied the cost of bruting it by 2^20. I reckon that's a worthwhile multiplier!
Most password crackers (notably L0pht) can do "common character substituion" tests in conjunction with a wordlist -- thus, 'l33t1fy1ng' your passwords is a pretty poor defense.
Michael Holstein CISSP GCIA Cleveland State University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
