In the realm of digital security, the allure of AI-generated passwords is being challenged by new research. A study conducted by the AI security firm Irregular has revealed that popular generative AI tools, including Claude, ChatGPT, and Gemini, produce passwords that, while seemingly intricate, are surprisingly easy to crack.
Testing AI Password Generation
Irregular prompted these AI models to create 16-character passwords that incorporated special characters, numbers, and mixed-case letters. The results, which initially appeared robust, were submitted to various online password strength checkers. These tools, unaware of common password patterns, rated the outputs as strong, suggesting they would take centuries to crack. However, the reality is far less reassuring.
Patterns and Predictability
The researchers found that the AI-generated passwords exhibited common patterns that could be exploited by hackers. For instance, when testing the Opus 4.6 model of Claude, they discovered that out of 50 generated passwords, only 30 were unique, with many starting and ending with the same characters. Notably, there were no repeating characters, indicating a lack of true randomness.
Entropy Measurements
Further analysis involved estimating the entropy of these passwords using the Shannon entropy formula. The results revealed that the 16-character passwords had entropies of approximately 27 bits and 20 bits, depending on the method used. In contrast, a truly random password would expect an entropy of around 98 bits, suggesting that LLM-generated passwords could be brute-forced in just a few hours, even on outdated hardware.
Implications for Security Practices
Irregular’s findings raise significant concerns about the reliance on AI for password generation. The firm cautioned that developers should not depend on LLMs for secure passwords, as the outputs are inherently weak and cannot be improved through adjustments in prompting or temperature settings. This vulnerability may extend beyond passwords, highlighting a broader issue in AI-assisted development.
As the industry continues to evolve, the gap between AI capabilities and actual security practices must be addressed. Irregular stressed the importance of reviewing and rotating any passwords generated by LLMs, urging caution in the face of these emerging technologies.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
