Password Guessing Using Large Language Models

Passwords are ubiquitously used for authentication/encryption, and password guessing attacks are the most effective technique for evaluating password strength. While large language models (LLMs) like ChatGPT-4o have demonstrated remarkable capabilities in text comprehension and reasoning across various general natural language processing tasks, they face limitations due to their static knowledge (e.g., fixed training data that lacks domain adaptability), especially in specialized tasks such as generating accurate password guesses.

This work provides a brand new technical route for password guessing, by proposing an LLM-based guessing framework, namely PassLLM, that leverages low-rank adaptation techniques. PassLLM systematically addresses four major password guessing scenarios, each of which is based on varied kinds of information available to the attacker. To reduce the high computation costs in password generation with LLMs, we propose two generation algorithms tailored for trawling and targeted guessing, respectively, enabling efficient password generation at scale (e.g., 1,000 guesses per user). Further, we apply model distillation to improve the generation speed by 11.5 times in trawling guessing scenarios without significantly reducing the success rate. Particularly, our generation algorithms are applicable to a wide range of decoder-only-based LLMs (e.g., Mistral, Llama-2/3, and Qwen-2).

Extensive experiments on 11 real-world password datasets demonstrate the effectiveness of our framework: (1) PassLLM for trawling guessing scenarios, whose guessing success rates are generally 2.87%-17.07% higher than its foremost counterpart; (2) PassLLM-I for targeted guessing based on personally identifiable information (PII), which guesses 12.54%-31.63% of common users within 100 guesses, outperforming its foremost counterpart by 15.10%-45.98%; (3) PassLLM-II for targeted guessing based on users' password reuse behaviors, which outperforms its foremost counterpart by 6.31%-13.87%; and (4) PassLLM-III for targeted guessing based on users' PII and sister password(s), which outperforms its foremost counterpart by 13.44%-36.14%. We believe this work makes a substantial step toward introducing LLMs into the password guessing domain.