AI-generated passwords look strong but are easier to crack
What's the story
Generative AI tools are not very good at creating strong passwords, a new study has revealed. The research, conducted by security company Irregular, tested three popular GenAI tools—Claude, ChatGPT, and Gemini. The results showed that all three provided seemingly complex but easily guessable passwords. The study prompted each tool to generate 16-character passwords with special characters, numbers, and letters in different cases.
Password validation
Passwords looked strong but had common patterns
The generated passwords were tested on several online password strength checkers, which deemed them strong. Some even claimed that it would take centuries for a standard PC to crack these codes. However, the researchers found that all three AI chatbots produced passwords with common patterns. If hackers are aware of these patterns, they could use this information to inform their brute-force strategies.
Predictability issue
Most passwords were unique but lacked randomness
The study found that only 30 out of 50 passwords generated by Claude's Opus 4.6 model were unique, with most starting and ending with the same characters. This suggests a lack of randomness in the generated passwords. Similar results were observed when testing OpenAI's GPT-5.2 and Google's Gemini 3 Flash.
Cautionary note
Gemini 3 Pro issued a security warning with generated passwords
Gemini 3 Pro provided three password options (high complexity, symbol-heavy, and randomized alphanumeric) but the first two followed similar patterns. The third option appeared more random. Notably, this model also issued a security warning with the generated passwords, advising against their use for sensitive accounts due to their generation in a chat interface. It even suggested users consider passphrases instead of traditional passwords for better security.
Brute-force vulnerability
LLM-generated passwords could be easily brute-forced
The researchers estimated the entropy of the LLM-generated passwords using the Shannon entropy formula. They found that 16-character entropies of LLM-generated passwords were around 27 bits and 20 bits respectively. For a truly random password, these methods expect an entropy of 98 bits and 120 bits respectively. This means that LLM-generated passwords could easily be brute-forced in a few hours on even a decades-old computer, Irregular claimed.