AI tools can generate passwords that look strong, but new testing suggests they’re far easier to guess than they appear. Cybersecurity firm Irregular asked major models (Claude, ChatGPT, and Gemini) to create 16-character “secure” passwords with mixed symbols, numbers, and letters. Many outputs even scored “strong” in common password checkers—yet Irregular says the strings remain predictable at the pattern level.
The core issue is simple: large language models optimize for plausible text, not true randomness. In Irregular’s tests, each model repeatedly favored narrow character sets and common structures, which makes targeted guessing dramatically easier than a truly random password.
Why AI-generated passwords fail the randomness test
Irregular reports that truly secure passwords should average about 6.13 bits of entropy per character, but LLM-generated passwords landed closer to 2.08 bits per character. In practical terms, a properly random 16-character password can reach roughly 98 bits of entropy, while the AI outputs measured closer to ~27 bits—a huge drop in resistance to brute-force attacks.
Researchers also flagged “too-clean” behavior that signals non-randomness. For example, the models avoided repeated characters at rates that would be unlikely in truly random strings, which ironically makes them easier to fingerprint and prioritize in attacks.
What to do instead (safe + practical)
- Use a password manager or OS password generator (they rely on cryptographically secure randomness).
- Move important accounts to passkeys where available.
- Turn on MFA (authenticator app or hardware key beats SMS).
- If you already used an AI-made password for a sensitive account, change it now and rotate any reused variants.
Eco-friendly SEO angle: secure passwords reduce wasted compute
Weak, predictable passwords invite more brute-force attempts—often powered by GPU-heavy cracking rigs. Stronger, truly random credentials reduce attack cycles, incident response work, and repeated reprocessing of logs and restores. In other words, better password hygiene supports sustainable cybersecurity by cutting avoidable compute energy and digital waste over time.
