In this article, we present a thorough evaluation of semantic password grammars. We report multifactorial experiments that test the impact of sample size, probability smoothing, and linguistic information on password cracking. The semantic grammars are compared with state-of-the-art probabilistic context-free grammar ( PCFG ) and neural network models, and tested in cross-validation and A vs. B scenarios. We present results that reveal the contributions of part-of-speech (syntactic) and semantic patterns, and suggest that the former are more consequential to the security of passwords. Our results show that in many cases PCFGs are still competitive models compared to their latest neural network counterparts. In addition, we show that there is little performance gain in training PCFGs with more than 1 million passwords. We present qualitative analyses of four password leaks (Mate1, 000webhost, Comcast, and RockYou) based on trained semantic grammars, and derive graphical models that capture high-level dependencies between token classes. Finally, we confirm the similarity inferences from our qualitative analysis by examining the effectiveness of grammars trained and tested on all pairs of leaks.

中文翻译：

---

语义密码模型和密码语言模式的大规模分析

在本文中，我们对语义密码语法进行了全面评估。我们报告了测试样本大小、概率平滑和语言信息对密码破解的影响的多因素实验。将语义语法与最先进的语法进行比较概率上下文无关文法(PCFG) 和神经网络模型，并在交叉验证和甲与乙情景。我们提出的结果揭示了词性（句法）和语义模式的贡献，并表明前者对密码的安全性更为重要。我们的结果表明，在许多情况下，与最新的神经网络对应物相比，PCFG 仍然是具有竞争力的模型。此外，我们表明在训练具有超过 100 万个密码的 PCFG 时几乎没有性能提升。我们基于经过训练的语义语法对四种密码泄漏（Mate1、000webhost、Comcast 和 RockYou）进行了定性分析，并导出了捕获令牌类之间高级依赖关系的图形模型。最后，我们通过检查在所有泄漏对上训练和测试的语法的有效性，从我们的定性分析中确认相似性推断。