Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, comparisons between password guessers are limited to simple success rates. Thus, little is known on how password guessers can best be combined with or complement each other. To extend analyses beyond success rates, we devise an analytical framework to compare the types of passwords that guessers generate. Using our framework, we show that different guessers often produce dissimilar passwords, even when trained on the same data. We leverage this result to show that combinations of computationally cheap guessers are as effective in guessing passwords as computationally intensive guessers, but more efficient. Our framework can be used to identify combinations of guessers that will best complement each other. To improve the success rate of any guesser, we also show how an effective training dataset can be identified for a given target password dataset, even when the target dataset is hashed. Our insights allow us to provide a concrete set of practical recommendations for password checking to effectively and efficiently measure password strength.

密码猜测器有助于评估密码的强度。尽管它们的多样性和丰富性，密码猜测者之间的比较仅限于简单的成功率。因此，人们对密码猜测者如何最好地相互结合或相互补充知之甚少。为了将分析扩展到成功率之外，我们设计了一个分析框架来比较猜测者生成的密码类型。使用我们的框架，我们表明不同的猜测者通常会产生不同的密码，即使在对相同数据进行训练时也是如此。我们利用这个结果来表明计算成本低的猜测者的组合在猜测密码方面与计算密集型猜测者一样有效，但更有效。我们的框架可用于识别最能相互补充的猜测者组合。为了提高任何猜测者的成功率，我们还展示了如何为给定的目标密码数据集识别有效的训练数据集，即使目标数据集是散列的。我们的见解使我们能够为密码检查提供一组具体的实用建议，以有效和高效地衡量密码强度。