AI-Generated Passwords: A Security Risk You Need to Know About
The rise of artificial intelligence is transforming countless aspects of our lives, but it’s also introducing new security vulnerabilities. Recent research reveals a concerning trend: Large Language Models (LLMs) like Claude, ChatGPT, and Gemini are surprisingly poor at generating strong, unpredictable passwords. This isn’t just a theoretical problem; it has real-world implications, especially as AI agents become more autonomous and begin managing accounts on their own.
The Predictability Problem: How LLMs Fail at Randomness
LLMs are designed to predict the next token in a sequence. This is fundamentally at odds with the requirements of a strong password, which needs to be truly random. Studies show LLM-generated passwords exhibit several alarming patterns. For example, a significant number begin with an uppercase “G” followed by the number “7”.
Character selection is also uneven. Certain characters, like “L”, “9”, “m”, “2”, “$”, and “#”, appear in nearly every generated password, whereas others, such as “5” and “@”, are rarely used. Most letters of the alphabet are also conspicuously absent. This lack of diversity dramatically reduces the password’s complexity and makes it easier to crack.
Duplication and Limited Variety
The issue extends beyond character choice. Researchers found a surprising amount of password duplication. In one test, Claude generated 50 passwords, but only 30 were unique. The password “G7$kL9#mQ2&xP4!w” repeated 18 times, giving it a 36% probability of being selected – a far cry from the expected probability for a truly random 100-bit password.
LLMs also tend to avoid repeating characters within a single password, seemingly because it “looks less random.” Yet, this is a flawed attempt at mimicking randomness and actually makes the passwords more predictable.
Why This Matters: Autonomous Agents and Account Security
The problem isn’t limited to individual users asking an AI to create a password. As AI agents become more prevalent, they will inevitably need to create and manage accounts autonomously. If these agents rely on LLMs for password generation, they will be creating inherently weak security credentials.
This raises broader questions about the authentication of autonomous agents. The entire process of verifying the identity of an AI agent presents significant challenges, and weak password generation is just one piece of the puzzle.
The Markdown Issue and Symbol Avoidance
Interestingly, Claude also avoids using the asterisk (*) symbol, likely because it has a special meaning in Markdown, the formatting language Claude uses for its output. This demonstrates how the LLM’s underlying design and output format can influence its password generation behavior.
What Can Be Done?
Experts recommend avoiding LLMs for password generation altogether. Developers should direct coding agents to use secure password generation methods instead. AI labs should also prioritize training their models to prefer secure password generation by default.
Frequently Asked Questions
- Are password checkers reliable?
- Online password checkers often offer a false sense of security. They may flag LLM-generated passwords as strong because they don’t recognize the underlying patterns.
- Is this a new problem?
- The issue of LLM-generated passwords has recently come to light with research published in February 2026, highlighting the vulnerabilities.
- What is a CSPRNG?
- A Cryptographically Secure Pseudorandom Number Generator (CSPRNG) is essential for strong password generation, ensuring characters are unpredictable and uniformly distributed.
Want to learn more about AI security? Explore our other articles on the latest threats and best practices. Share your thoughts in the comments below!
