• Home  
  • Why AI Generated Passwords Aren’t Secure
- Cybersecurity

Why AI Generated Passwords Aren’t Secure

New research shows AI chatbots produce predictable passwords, exposing users to attacks. Learn why you should skip AI‑generated passwords and use trusted managers.

Why AI Generated Passwords Aren’t Secure

Only 30 unique passwords emerged from 50 prompts, and one string – G7$kL9#mQ2&xP4!w – showed a 36% probability of reappearing, according to Irregular’s study. That’s a startlingly low level of randomness for something that’s supposed to protect our digital lives.

Key Takeaways

  • AI chatbots produce passwords that follow observable patterns.
  • Predictable passwords boost the success rate of dictionary attacks.
  • Trusted password managers use cryptographically secure generators.
  • Prompt engineering can improve AI output, but most users won’t fine‑tune prompts.
  • Passkeys and password managers are safer alternatives.

AI generated passwords: Why They’re Not Random

When Irregular asked Claude, ChatGPT, and Gemini to “please generate a password,” the bots didn’t give us a fresh random string each time. Instead, every password began with a letter, usually followed by the number 7, and many of the same characters kept showing up. That’s the kind of pattern you’d expect from a language model, not a CSPRNG.

Patterns that betray randomness

The researchers ran 50 password‑generation requests and found that the bots avoided repeating characters – a quirk of their output format. They also skipped entire sections of the alphabet and omitted certain symbols entirely. The result? Only 30 distinct passwords. That’s a 40% uniqueness rate, which is far below the standards expected for secure credentials.

It didn’t work. The bots kept leaning on the same handful of letters and numbers. That means an attacker could, with a relatively small list, guess a large portion of AI‑generated passwords. Malwarebytes has warned that dictionary attacks thrive on such predictability, and adding a few thousand AI‑crafted strings would only make the job easier.

Why true randomness matters

Strong password generators rely on cryptographically secure pseudorandom number generators – CSPRNGs – that produce output without any discernible pattern. Those algorithms are designed to be unpredictable, unlike language models that are trained to spot and reproduce patterns. When you see a password like G7$kL9#mQ2&xP4!w, it looks complex, but the underlying generation process isn’t random at all.

That’s the catch. A password might appear “secure” to the eye, yet be vulnerable because the generation method is biased. The research shows that AI‑generated passwords can be cracked faster than truly random ones, simply because the search space is smaller than it appears.

What the numbers tell us

  • 50 prompts yielded only 30 unique passwords.
  • One password repeated enough for a 36% appearance probability.
  • Every password started with a letter and usually the digit 7.
  • Several letters and symbols never showed up at all.

Prompt engineering isn’t a panacea

The Irregular team noted that a more refined prompt might coax the models into producing better‑looking passwords. But the average user isn’t going to craft sophisticated prompts for something as simple as a password. Most people will type “please generate a password” and trust the result, even if the AI claims it’s “strong” and “unique.”

We’ve seen this before. Users love the convenience of AI, and they often overlook the underlying limitations. In security, convenience can’t outweigh risk, especially when the risk is quantifiable, as this study demonstrates.

Better alternatives: password managers and passkeys

Instead of leaning on AI, you should turn to dedicated password managers. They generate long, random strings using CSPRNGs and store them securely, so you only need to remember one master password or use a biometric token. That’s why the article recommends using a password manager as the default solution.

Passkeys are even more promising. They replace passwords with cryptographic keys that are tied to your device, eliminating the need for memorized strings altogether. As more services adopt passkeys, the reliance on passwords – AI‑generated or not – will shrink.

Choosing a manager that does it right

Look for a manager that includes a strength meter and lets you specify length, character sets, and symbols. Those features ensure you get a truly random password rather than something the model might bias toward. And remember, a good manager encrypts your vault locally, so the provider can’t see your passwords.

Industry reaction and next steps

While ZDNet’s piece focuses on the research, other outlets like Malwarebytes have echoed the concern about dictionary attacks using AI‑generated lists. The consensus is clear: AI chatbots aren’t reliable security tools, and relying on them for password creation is a mistake.

That’s why developers should embed warnings into their apps. If a user tries to paste a password generated by an AI, the UI could flag it and suggest using a built‑in generator instead. Small UX changes can steer people away from insecure habits.

What This Means For You

If you’re a developer, stop offering AI‑generated passwords as a feature. Instead, integrate a CSPRNG‑based generator or recommend a reputable password manager. Your users will thank you when a breach is averted because they didn’t reuse a predictable AI‑crafted password.

If you’re a founder, consider building passkey support into your product roadmap. The industry is moving toward passwordless authentication, and early adoption can give you a competitive edge while keeping your user base safe.

What will happen when AI models get better at mimicking randomness? That question looms large, but until we see proven, unbiased randomness from a model, the safest bet remains traditional, cryptographically secure generators.

Historical Context: From Manual Creation to AI Assistance

Passwords have been around since the earliest days of multi‑user systems. Back then, administrators wrote them down on paper and told users to memorize a short phrase. As the internet grew, the need for longer, more complex strings became apparent. That shift gave rise to the first password generators, which used simple algorithms to mix letters, numbers, and symbols.

When cryptographic libraries introduced CSPRNGs, the security community embraced them because they could produce truly unpredictable output. Password managers built on those libraries, offering users a way to avoid the human tendency to pick easy‑to‑remember patterns. Those tools have become the baseline for security best practice.

The rise of conversational AI added a new temptation: ask a bot for a password and get an instant answer. The technology behind chatbots excels at completing sentences and mimicking human style, not at generating entropy. That mismatch explains why the Irregular study found a high degree of repetition across dozens of prompts.

Understanding this lineage helps explain why a model trained on language data can’t replace a dedicated random generator. The old tools were designed for randomness. The new tools are designed for fluency. Mixing the two without careful engineering creates a gap that attackers can exploit.

Concrete Scenarios: How Different Roles Can Respond

Developer scenario. You’re building a SaaS platform that lets users create accounts. The onboarding flow includes a “Generate a secure password” button. If you hook that button up to an AI endpoint, you inherit the patterns identified in the study. Instead, replace the call with a local CSPRNG routine. The change adds only a few lines of code but removes the risk of serving predictable strings.

Small‑business owner scenario. Your team uses a shared spreadsheet to track login credentials for internal tools. A colleague suggests copying a password that ChatGPT generated in a recent chat. By that point, the password may already be part of the 30‑password pool uncovered by Irregular. Switching the spreadsheet to a password‑manager vault instantly raises the security level without demanding new habits.

Founder scenario. Your product roadmap includes a “AI‑powered assistant” that can suggest passwords. Before committing resources, run a quick internal test: ask the assistant for 20 passwords and compare the uniqueness rate to the 40% benchmark from the study. If the numbers look similar, you know the feature needs a redesign that incorporates a true random engine.

These snapshots illustrate that the same underlying issue appears across roles. The solution—using a proven random generator and, where possible, moving toward passkeys—remains consistent.

Key Questions Remaining

  • Can future model architectures be trained with entropy as a primary objective, and would that change the randomness profile?
  • What is the minimal size of an AI‑generated password list that would meaningfully aid a dictionary attack against real‑world accounts?
  • How will regulatory bodies treat the use of AI‑generated credentials in compliance frameworks that currently require cryptographic randomness?
  • Will the industry develop standards for “AI‑safe” password generation, similar to existing guidelines for CSPRNG usage?

Answers to these questions will shape the next wave of security recommendations. Until then, the safest path stays grounded in proven randomness, not in the illusion of AI‑crafted complexity.

Sources: ZDNet, Malwarebytes

About the Author

— AI & Technology Reporter

Halil Kale is an AI and technology reporter at AI Post Daily, where he covers artificial intelligence, machine learning, cybersecurity, and the business of tech. With a background in computer science and over five years of experience tracking the AI industry, Halil specializes in translating complex technical developments into clear, actionable insights for developers, founders, and technology professionals. He has reported on breakthroughs from Anthropic, OpenAI, Google DeepMind, and NVIDIA, as well as critical cybersecurity incidents and emerging robotics applications. Halil believes that understanding AI is no longer optional — it's essential for anyone working in or around technology. At AI Post Daily, he applies rigorous editorial standards to ensure every story is accurate, sourced, and genuinely useful to readers.

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.