ECE 202C · security research prototype
llm-password: pattern-aware password estimation
A local experimental evaluator for passwords whose visible complexity can overstate how predictable they are. The question was not whether a string looks random to a meter. It was whether an attacker with ordinary cultural knowledge and pattern completion could reach it quickly.
What I built
A staged pipeline combining a patched zxcvbn baseline, a cheap structural-pattern check, and continuation-probability estimates from local language models. The expensive stages are routed only to inputs where the cheap baseline leaves material uncertainty.
What was technically interesting
The continuation estimator uses dynamic programming over token-level alternatives rather than asking a model for one vague strength score. That made it possible to compare structured sequences against a reproducible probability estimate.
One result worth showing
A long numeric sequence scored around 10^23.57 guesses
under the zxcvbn baseline, while a continuation estimate assigned it
roughly 10^3.34. The point is not that the second number is
a universal cracking forecast. It shows that obvious construction rules can
survive a length-based strength meter.
Method and limits
llm-password is an experiment in password-pattern estimation, not a claim that a small language model can simulate every real attacker. It is useful where conventional matching misses a human-generated sequence, phrase, cultural association, or rule. It does not replace breach checks, rate limits, MFA, or proper password storage.
The project was deliberately built around local inference and inspectable stages. The goal was to avoid sending password-derived text to an unrelated service merely to receive a score.