AI-generated passwords are surprisingly easy to crack, researchers find

midian182

Posts: 11,708   +177
Staff member
Facepalm: As we continue waiting for it to find a cure for cancer, it seems there's something else that AI isn't very good at: generating passwords. New research suggests that asking large language models to create "strong" passwords might be a surprisingly bad idea.

Security firm Irregular analyzed outputs from tools such as Claude, ChatGPT, and Gemini, and found that many AI-generated passwords appear complex but are actually highly predictable and crackable.

When asked to generate 6-character secure passwords including special characters, numbers, and letters, the models produced repeated patterns and even identical outputs across multiple prompts.

One batch of 50 passwords generated by Claude Opus 4.6 produced just 30 unique results. There were 20 duplicates, 18 of which were the exact same string.

Another issue was the predictability of the passwords that were generated. Every password Claude generated started with a letter, usually an uppercase "G." The second character was almost always the digit "7." The characters "L," "9," "m," "2," "$" and "#" appeared in every one of the generated passwords, and most of the alphabet never appeared in any of them.

ChatGPT, meanwhile, liked to start almost every password it generated with the letter "v," and almost half of them used "Q" as the second character. Gemini was the same, starting most of its passwords with a lowercase or uppercase "k" and almost always using a variation of "#," "P," or "9" for its second character.

Irregular also said none of the 50 passwords contained repeating characters. While this might make them sound random, probability suggests the opposite.

Researchers say the issue stems from how large language models work. These systems are trained to generate plausible patterns based on statistical probability rather than true randomness. It means the passwords may appear strong but are "fundamentally insecure" and easy to guess.

The findings highlight a core security principle: unpredictability matters more than complexity. Password strength relies on entropy – the degree of randomness in a string – and predictable patterns reduce that entropy even if the password contains symbols and mixed case.

Humans already struggle to create high-entropy passwords, often reusing patterns or substituting predictable characters like "3" for "E." AI appears to inherit similar weaknesses.

As with much of what AI produces, the technology might excel at sounding convincing, but its output is often flawed and shouldn't be blindly trusted.

"People and coding agents should not rely on LLMs to generate passwords," Irregular wrote. "Passwords generated through direct LLM output are fundamentally weak, and this is unfixable by prompting or temperature adjustments: LLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation."

Permalink to story:

 
Password complexity has become largely irrelevant… hackers hack sites and very often find the passwords in plaintext - or a weakly decrypted file that enables them to be revealed in plaintext fairly quickly. The passwords are then added to wordlists that are distributed on the dark web and even a 100 character password can now be cracked in seconds…

Your only real protection is to have a different password for every account and make sure to change them often… even then, you’re not completely safe, but it’s about as close as you can get.
 
Password complexity has become largely irrelevant… hackers hack sites and very often find the passwords in plaintext - or a weakly decrypted file that enables them to be revealed in plaintext fairly quickly. The passwords are then added to wordlists that are distributed on the dark web and even a 100 character password can now be cracked in seconds…

Yeah, sometimes it's plain text, most times it isn't. If it isn't, complexity is very relevant.

Your only real protection is to have a different password for every account and make sure to change them often… even then, you’re not completely safe, but it’s about as close as you can get.
You're saying this like a sudden epiphany, while it's been well known (and taught) for decades.
 
There is no such thing as a "6-character secure password"!

You need at least 17 characters. Each character exponentially adds complexity and takes longer to brute force.
Its possible using a 6 character Unicode password. Unicode version 17.0, has 297,334 assigned characters with code points, covering 172 modern and historical scripts, as well as multiple symbol sets. S
 
The simplest secure and easy to remember passwords for me are writing an entire sentence with some random characters.

Example: My dog Charlie eats his own poo!2#

And most importantly, use 2 tier authentication.
 
Well yeah... it's going to find a relatively small amount of examples that it's trained on and repeat those with minor variations.

If you want to be safe, just make it long and throw in a digit/symbol to pass the regular requirements. Size matters, the longer the harder it is to crack. Added benefit if you don't go ham on special symbols it's a lot easier to put in on mobile without switching keyboard layouts or holding down buttons all the times. I try to make a short rhyme or short witty sentence with the site name in it, makes it easier to remember.

The most ridiculous thing is when sites put very short character limits on passwords like 12 characters. That's actively encouraging your users to use weak passwords and doesn't make sense. You shouldn't be storing passwords, so you're storing the (salted) hash of one - the length of that hash determines how you define the field in the database if you're stingy enough to try and save space there.
 
Back