Smart Answers AI-generated summary
In summary:
- Security experts are warning against using AI-generated passwords after discovering predictable patterns in the output of ChatGPT, Gemini, and Claude that make them vulnerable to attacks.
- PCWorld reports that the AI model creates probability-based passwords with a common structure, such as starting with a capital “G” and using certain letters, with one password appearing 18 times.
- Passwords generated by AI lack true randomness and cannot effectively withstand brute force attacks, so experts recommend using a randomized password generator in a password manager instead.
Choosing a secure password isn’t always easy. That’s why some people are turning to “artificial intelligence” (such as chatbots like ChatGPT and Google Gemini) to create secure passwords.
However, Irregular security experts warn against this approach. After several tests, we found that passwords created using “AI” are very easy to crack, even if they appear secure at first glance.
A fatal flaw in AI-generated passwords
The reason is simple. Because all LLM-based AI models fundamentally operate based on probabilities. Just as AI-generated text and images are created by probability-based functions, AI-generated passwords are Also Probability based. In other words, such passwords are created using data based on known passwords and formulated to find a “probably safe” password.
Therefore, passwords generated by AI are never random. Experts have noticed that AI tends to place certain characters or strings of characters in the same (i.e., predictable) positions. As if that wasn’t bad enough, passwords often started with similar letters or strings of letters, with little variation in the numbers or letters chosen.
Some examples from the report:
- All generated passwords start with a letter, usually an uppercase letter. letter
Gappeared especially frequently. - Characters
L,9,m,2,$and#Although included in all generated passwords, some characters were not used. - None of the passwords contained duplicate characters, but if they were chosen truly randomly, they should have occurred at some point. The AI assumed that the password wouldn’t look “random enough” otherwise.
- Because some passwords were repeated, only 30 of the 50 passwords generated were truly new.
- The most common passwords are
G7$kL9#mQ2&xP4!wgenerated a total of 18 times.
What is the conclusion? Not only can AI chatbots not generate random passwords, but the passwords they generate are extremely weak. AI-generated passwords are not secure enough to withstand simple brute force attacks. These issues were present in all the AI models we investigated, including ChatGPT, Gemini, and Claude.
The risks and consequences are real
The idea of using AI chatbots to create passwords is already having real-world impact, according to security experts. They were able to discover some of the patterns found in AI passwords in open source code on developer platforms like GitHub.
These easily recognizable patterns pose significant security risks. Hackers can exploit these to launch targeted attacks on your applications. But it’s not just developers who are at risk, but real-world users who decide to use an AI chatbot to create passwords as well.
Experts disagree, warning of the dangers of relying too much on AI. Some chatbots (such as Gemini) also display a warning that you should not use passwords generated with the help of AI. One reason for this is that passwords are processed through the server.
Key points: To create truly secure passwords, you should use a genuine randomized password generator. These are often already integrated into your password manager. Get started with one of our picks for the best password managers to keep your passwords safe.
This article was originally published in our sister publication PC-WELT and was translated and localized from German.
