Why Simple Character Substitution for Passwords is Now a Pile of 5h1t