AI Chatbots Generate Predictable Passwords: Security Risks Revealed

Artificial intelligence chatbots – including ChatGPT, Claude, and Gemini – generate predictable passwords, according to a recent study by Irregular. Despite appearing strong, these AI-generated passwords are surprisingly repetitive, potentially making them easier for cybercriminals to crack. The research suggests that simply prompting an AI for a “strong password” could inadvertently hand attackers a usable credential.

Irregular tasked the Claude chatbot with generating 50 passwords, finding that only 23 were unique. The password “K9#mPx$vL2nQ8wR” appeared a striking 10 times. Further analysis revealed that the remaining passwords contained identical fragments, or followed the same structural patterns.

Testing by Android Police showed similar results with Google’s Gemini. When asked to create a “strong password,” Gemini repeatedly generated options containing the same words. Specifically, the terms “Solar,” “Thunder,” “Panda,” and “Jacket” frequently appeared across the 10 test cases. “Even though the string of numbers following the three nouns in the passwords was different each time, they used the same structure,” the researchers noted.

While automated systems might flag these passwords as secure, a human could easily recognize and memorize the underlying pattern. By repeatedly generating passwords with Gemini and identifying frequently used characters, numbers, and structures, an attacker could significantly narrow down the possible options.

The study highlighted that varying the prompts only altered the style of the generated passwords, but didn’t address the fundamental lack of randomness. ChatGPT performed best in the tests, but even it produced passwords with discernible patterns. Each chatbot generated a more diverse list when asked to create multiple passwords simultaneously.

AI can effectively explain the principles of strong password creation, but relying on it to generate them isn’t advisable. A better approach is to choose four random words, special characters, and numbers, and combine them in a password.

To significantly improve account security, enabling two-factor authentication (2FA) is crucial, as it adds an extra layer of protection even if a password is compromised. Passkeys offer an even higher level of security and eliminate the require to remember passwords altogether. Password managers aren’t foolproof, but can be a useful alternative for some users.