LLM-Guided Prompt Evolution for Password Guessing
Summary: arXiv:2604.12601v1 Announce Type: cross
Abstract
Password-based authentication remains prevalent in securing user accounts, yet its effectiveness is frequently compromised by common user behaviors and significant credential leaks. To mitigate these security challenges, automated password guessing has emerged as an essential tool for evaluating the robustness of password policies and simulating potential attacker strategies.
Introduction
This article discusses a groundbreaking approach that leverages Large Language Models (LLMs) to enhance the efficiency of password guessing through evolutionary computation. By utilizing an innovative framework, researchers have developed a method to automatically optimize prompts that guide LLMs in constructing and guessing passwords.
Methodology
The study employs OpenEvolve, an open-source platform that integrates MAP-Elites quality-diversity search with an island population model. This system is instrumental in evolving prompts that aim to maximize the password cracking rate on a dataset derived from the RockYou password leaks.
- Prompt Evolution: The process begins with a set of initial prompts that guide the LLM in generating password guesses.
- Testing Configurations: The researchers evaluated three distinct configurations:
- A local setup using Qwen3 8B.
- A single compact cloud model, Gemini-2.5 Flash.
- A two-model ensemble composed of leading-edge LLMs.
Results
The implementation of this evolutionary approach significantly improved the cracking rates. Initial tests revealed a cracking rate of 2.02%, which was enhanced to an impressive 8.48% through the optimized prompts developed in the study.
Character Distribution Analysis
Further analysis of the generated passwords indicated that the evolved prompts produced character distributions that were statistically more realistic. This finding underscores the effectiveness of the prompt evolution technique, as it allows for the generation of passwords that closely mimic real-world choices made by users.
Implications
The findings of this research have profound implications for password auditing and security measures. By automating the prompt evolution process, the study demonstrates a low-barrier yet powerful method to bolster LLM-based password auditing systems. This advancement highlights the potential for automated improvements in attack pipelines, ultimately enhancing the capabilities of cybersecurity tools.
Conclusion
In conclusion, the application of LLM-driven evolutionary computation for optimizing password guessing prompts represents a significant advancement in the field of cybersecurity. As password management continues to be a critical issue, this research offers valuable insights and tools for enhancing password policy effectiveness and improving overall security measures.