AI-Generated Passwords Found to Be Insecure

- The research, conducted by cybersecurity firm Irregular, found that Large Language Models (LLMs) are not designed for the true randomness required for secure password generation; instead, they are optimized to produce predictable and plausible outputs. - A truly secure 16-character password should have about 98 bits of entropy, but the AI-generated passwords only possessed an estimated 20 to 27 bits, making them significantly more vulnerable to brute-force attacks. - Specific, predictable patterns were identified in the outputs of major AI models: passwords from OpenAI's ChatGPT frequently started with "v," while Google's Gemini often began with "K" or "k". - In tests, Anthropic's Claude model demonstrated high repetition; when prompted to generate 50 unique passwords, it produced only 23 distinct results, with one specific password appearing 10 times. - The characters ‘L,’ ‘9,’ ‘m,’ ‘2,’ ‘$,’ and ‘#’ appeared in all 50 passwords generated by Claude, while a large portion of the alphabet was never used at all. - Cybersecurity experts, including those from the IEEE, warn that these AI-generated passwords can be cracked in minutes or hours, even with modest hardware, once the underlying patterns are known. - The core issue is that LLMs do not use cryptographically-secure pseudorandom number generators (CSPRNGs), which are standard in dedicated password managers and are designed to ensure each character has an equal and unpredictable chance of being selected. - National Institute of Standards and Technology (NIST) guidelines recommend a minimum password length of 8 characters but encourage longer passphrases of at least 15 characters for better security, prioritizing length over complexity.