AI-generated passwords pose security risks due to predictable patterns

Tech Radar reports that passwords generated by large language models (LLMs), while appearing complex, exhibit statistical predictability that makes them vulnerable to hacking. A recent study by Irregular examined password outputs from popular AI systems, revealing underlying structural weaknesses.

Researchers analyzed passwords generated by AI models like ChatGPT and Gemini, finding that many outputs were duplicates or followed similar structural patterns, despite passing initial complexity tests. The AI-generated passwords showed significantly lower entropy, estimated between 20 to 27 bits, compared to genuinely random passwords which measure between 98 and 120 bits. This gap suggests that these AI-generated passwords could be susceptible to brute-force attacks within hours. Online password strength meters may misclassify these predictable outputs as secure because they evaluate surface complexity rather than the statistical patterns inherent in AI text generation. Attackers could exploit these patterns to refine their guessing strategies and dramatically narrow the search space.

The study suggests that developers and users should not rely on LLMs for password generation, as the inherent predictability is unfixable through prompting. Dedicated password managers utilizing cryptographic randomness are recommended instead.

Source: Tech Radar