Facepalm: As we continue waiting for it to find a cure for cancer, it seems there's something else that AI isn't very good at: generating passwords. New research suggests that asking large language models to create "strong" passwords might be a surprisingly bad idea.
Security firm Irregular analyzed outputs from tools such as Claude, ChatGPT, and Gemini, and found that many AI-generated passwords appear complex but are actually highly predictable and crackable.
When asked to generate 6-character secure passwords including special characters, numbers, and letters, the models produced repeated patterns and even identical outputs across multiple prompts.
One batch of 50 passwords generated by Claude Opus 4.6 produced just 30 unique results. There were 20 duplicates, 18 of which were the exact same string.
Another issue was the predictability of the passwords that were generated. Every password Claude generated started with a letter, usually an uppercase "G." The second character was almost always the digit "7." The characters "L," "9," "m," "2," "$" and "#" appeared in every one of the generated passwords, and most of the alphabet never appeared in any of them.
ChatGPT, meanwhile, liked to start almost every password it generated with the letter "v," and almost half of them used "Q" as the second character. Gemini was the same, starting most of its passwords with a lowercase or uppercase "k" and almost always using a variation of "#," "P," or "9" for its second character.
Irregular also said none of the 50 passwords contained repeating characters. While this might make them sound random, probability suggests the opposite.
Researchers say the issue stems from how large language models work. These systems are trained to generate plausible patterns based on statistical probability rather than true randomness. It means the passwords may appear strong but are "fundamentally insecure" and easy to guess.
The findings highlight a core security principle: unpredictability matters more than complexity. Password strength relies on entropy – the degree of randomness in a string – and predictable patterns reduce that entropy even if the password contains symbols and mixed case.
Humans already struggle to create high-entropy passwords, often reusing patterns or substituting predictable characters like "3" for "E." AI appears to inherit similar weaknesses.
As with much of what AI produces, the technology might excel at sounding convincing, but its output is often flawed and shouldn't be blindly trusted.
"People and coding agents should not rely on LLMs to generate passwords," Irregular wrote. "Passwords generated through direct LLM output are fundamentally weak, and this is unfixable by prompting or temperature adjustments: LLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation."