Existing password strength estimation models treat passwords as homogeneous sequences, ignoring their structural heterogeneity—leading to training bias and degraded guessing performance. To address this, we propose MoPE, a structure-aware Mixture of Experts framework: it first identifies and clusters password structural patterns to partition the password subspace; then, it designs dedicated expert models for each structural class and employs a lightweight gating network for dynamic routing. MoPE is the first structure-aware Mixture-of-Experts system in password guessing research. Experiments demonstrate that MoPE improves cracking rates by 38.80% (offline) and 9.27% (online) over state-of-the-art baselines, while enabling millisecond-level real-time strength assessment. This significantly enhances estimation accuracy, generalization across diverse password distributions, and practical deployability.

Textual passwords remain a predominant authentication mechanism in web security. To evaluate their strength, existing research has proposed several data-driven models across various scenarios. However, these models generally treat passwords uniformly, neglecting the structural differences among passwords. This typically results in biased training that favors frequent password structural patterns. To mitigate the biased training, we argue that passwords, as a type of complex short textual data, should be processed in a structure-aware manner by identifying their structural patterns and routing them to specialized models accordingly. In this paper, we propose MoPE, a Mixture of Password Experts framework, specifically designed to leverage the structural patterns in passwords to improveguessing performance. Motivated by the observation that passwords with similar structural patterns (e.g., fixed-length numeric strings) tend to cluster in high-density regions within the latent space, our MoPE introduces: (1) a novel structure-based method for generating specialized expert models; (2) a lightweight gate method to select appropriate expert models to output reliable guesses, better aligned with the high computational frequency of password guessing tasks. Our evaluation shows that MoPE significantly outperforms existing state-of-the-art baselines in both offline and online guessing scenarios, achieving up to 38.80% and 9.27% improvement in cracking rate, respectively, showcasing that MoPE can effectively exploit the capabilities of data-driven models for password guessing. Additionally, we implement a real-time Password Strength Meter (PSM) based on offline MoPE, assisting users in choosing stronger passwords more precisely with millisecond-level response latency.