Cracking Passwords with LLMs by Exploiting Linguistic Features
摘要
Passwords remain the primary authentication method in computer systems and are expected to prevail for the foreseeable future. Previous works on password security have mainly focused on the passwords created by English-speaking users. As a result, the proposed password guessing methods are confined to the password composed by English speakers. However, language structure plays a significant role in password creation, analysis that overlooks the language-specific inherent features may yield biased results. To address this limitation, we perform a large-scale empirical study using 64.5 million passwords from seven real-world webs. By using the cosine similarity measure, we find significant differences in character distribution between Chinese and English websites. In addition, we explore the use of Chinese Pinyin chunks and English words in both Chinese and English passwords, analyzing their impact on cracking rates. Finally, we propose a large language model (LLM) based password-guessing method to analyze the vulnerability of Chinese web passwords. Our experimental results demonstrate that incorporating linguistic features into the model improves the cracking rate by 3.97%–12.34% compared to traditional non-language-based models. Additionally, to validate the effectiveness of our method, we compare its performance to that reported by Wang et al. At \(10^{7}\) guesses, our approach achieves a cracking rate of 37.21%, which is 7.15% higher than that of the leading state-of-the-art method.