But don't do what someone I know did and replace every single e with 3, every single a with 4, every single o with 0.

Identical entropy, extra theatre.

Not to imply that what you describe is a great strategy, but I wouldn't describe it as pointless. The password "12345" has the same entropy as "b0g4p" but it would be a mistake to think they are equally secure.

>The password "12345" has the same entropy as "b0g4p" but it would be a mistake to think they are equally secure.

Those do not have remotely equal entropy.

At the byte level it does, which is presumably what the OP was talking about when saying that replacing characters with digits (uniformly) does not affect entropy.

Maybe, but I would hope that's not what s/he meant, because that kind of entropy is basically irrelevant to password strength.

Is bogap a dictionary word?

What I'm describing are passwords like

T1g3rF33t Cam3lT03

etc.

All dictionary stuff along a theme, but made "secure" by applying a zero-entropy substitution of all occurrences of (L,O,A,E) with (1,0,4,3).

Given that crackers know people do this, they add them to their dictionary attack routines so this is no more secure.

Given I'm still fighting with them over, "don't store passwords plain text" I've not even begun to attack them over this practice yet.

Ha no...I just randomly typed in symbols. Guess it does look kind of "wordish" though.

I don't think that's identical entropy, since the usage of that strategy varies, and the non-substitution case is more common. But it probably adds less than one bit, and last I checked, 2 * instant = instant.

What you say is true if attackers know the composition of your password: If the system provided them with some sort of hints telling them how many upper, lower, digits and special characters existed in the password.

Hopefully such systems don't exist.

Instead most attackers have to run through the obvious, then through brute forcing against the known character set.