If you had to generate a strong password, would you trust AI to do it?
It seems reasonable.
Afterall, AI tools like ChatGPT and Copilot can do some impressive stuff, like draft emails, write reports, and even create bits of code. Asking them for a 16-character password packed with symbols and numbers, feels like a smart shortcut.
But you may want to think twice.
Researchers recently tested AI tools by asking them to generate secure passwords.
At first glance everything looked great. The passwords generated contained long strings with mixed case letters, numbers and symbols.
When verifying the password strength online, they scored highly. Some tools even claimed the passwords would take centuries to crack.
But a different picture emerged when these passwords were analysed properly.
In the background, AI systems use large language models (LLM). This allows them to predict what text should come next. And it works well, with results that often come across as very natural.
It is not designed to create true randomness.
And randomness is what strong passwords rely on.
When researchers looked at dozens of AI-generated passwords, they found clear patterns. Some were duplicates, and many followed nearly identical structures.
Notably, none included repeated characters.
That may seem positive, but true randomness often includes repetition. Without it, the password is more likely following learned patterns than being genuinely unpredictable.
The researchers also measured “entropy,” a technical term for how unpredictable something is.
AI-generated passwords scored far lower than a genuinely random 16-character password should.
That means they may be far easier to crack in a brute-force attack, where hackers rapidly test huge numbers of combinations.
Online password checkers don’t catch this because they only look at visible complexity.
They see symbols and numbers and assume the password is secure, but they miss the hidden patterns AI can introduce.
Newer models like Gemini 3 Pro have even issued warnings and have advised not use it to generate passwords for secure accounts.
That says something.
For truly secure passwords, use a password manager with a built-in generator.
These use mathematical processes for cryptographic randomness. In other words, they are specifically designed to create unpredictable results.
AI is a great productivity tool, but it’s the wrong choice for security essentials like passwords.
If you need help choosing the right password manager for your business, get in touch.
Leave a comment!