Don’t Trust AI with this Security Essential
Let me start with a question: If you needed a strong password, would you ask AI to generate one for you?
At first glance, it seems like a perfectly reasonable idea. AI tools like ChatGPT, Copilot, and Gemini can write reports, draft emails, summarize documents, and even generate code. Asking one to create a 16-character password filled with letters, numbers, and symbols feels like a logical shortcut.
Unfortunately, it's not the best approach.
Researchers recently put several AI tools to the test by asking them to generate secure passwords. On the surface, the results looked impressive. The passwords were long, included uppercase and lowercase letters, numbers, and special characters, and they scored well on common online password strength checkers. Some were even rated as taking centuries to crack.
However, a deeper analysis told a different story.
The problem lies in how AI works. Large language models (LLMs) are designed to predict what text is most likely to come next based on patterns they've learned from enormous amounts of data. That's exactly what makes them so effective at writing natural-sounding text.
What they aren't designed to do is generate true randomness.
And randomness is one of the most important ingredients of a strong password.
When researchers examined AI-generated passwords more closely, they found consistent patterns. Some passwords were nearly identical, while others followed very similar structures. One surprising finding was that none of the passwords contained repeating characters.
That might sound like a positive feature, but in reality, it's a sign that the passwords weren't truly random. Genuine random strings naturally include repeated letters, numbers, or symbols from time to time. Their complete absence suggests the AI was following learned patterns instead of creating unpredictable combinations.
Researchers also measured the passwords' entropy, a technical term that describes how unpredictable a password really is. While the passwords appeared complex, their entropy scores were significantly lower than those of a truly random 16-character password.
Why does that matter?
Attackers don't just look for simple passwords anymore. They use automated brute-force attacks that can test enormous numbers of password combinations every second. If passwords follow predictable patterns, those attacks become much more effective.
This is also why online password strength checkers can be misleading. Most evaluate visible complexity, such as password length and the inclusion of numbers, symbols, and mixed-case letters. They don't detect the hidden patterns that AI unintentionally introduces.
Even AI developers recognize this limitation. Newer models, including Gemini, have begun warning users not to rely on AI-generated passwords for important accounts and instead recommend using dedicated password generation tools.
The safest option is to use a reputable password manager with a built-in password generator. These tools use cryptographically secure random number generation, which is specifically designed to create passwords that are genuinely unpredictable and resistant to modern attacks.
Artificial intelligence is an incredibly valuable productivity tool, and it continues to improve in countless areas. But when it comes to something as critical as protecting your accounts, password security is one place where traditional security tools still outperform AI.
If you'd like help choosing a password manager or strengthening your organization's cybersecurity practices, we're here to help.











