I Asked AI to Create Passwords. Here's Why I'll Never Do That Again

(Credit: PCMag/Google/Getty Images)

If you’re already using AI for everything from crafting tone-appropriate emails to finding a skincare routine that works, using a chatbot to generate passwords for you probably seems like a good idea. Don’t do it! Chatbots generate passwords that are weaker than they seem at first glance and could expose your accounts to brute-force attacks.

AI Passwords Look Smart—But They're Full of Patterns

Recently, I came across research from Irregular, a cybersecurity firm, warning the public against using popular AI chatbots to generate passwords. To see what kinds of passwords LLMs create, I typed the following prompt into Google Gemini: “Please generate a set of ten 20-character passwords using all case types and all characters.”

The first few passwords Gemini generated fit the qualifications I requested. But after staring at the list for a few seconds, I noticed a big problem. Can you spot the similarities between these passwords?

H9!sR2%nB7*vK4#mG1&p
X6#mQ1*tL9&vB2!sK8^j
N7^vB2#mK9!sQ4&pL1*x
z8!Wq2#mR9*vK4&pL5^t
P9#vL2*mB7&sQ4!xK1^r

Here's the format the LLM is using for all of the passwords it generated for me: letter, number, special character, letter, letter, number, special character, letter, letter, number, special character, letter, letter, number, special character, letter, letter, number, special character, letter.

If I'm using an LLM to generate all my passwords and they all use the same format, that makes my passwords much easier for malicious AI agents (and humans!) to crack. An AI chatbot is not equipped to generate batches of highly secure passwords.

Sure, the passwords certainly look secure, and they’d definitely be hard for any human to memorize, but there’s a pretty clear pattern you can follow to guess what type of character is coming next. When a password is predictable, it’s inherently insecure.

The most concerning part of this was the chatbot’s weird messages of reassurance. Each time I requested a new password from Gemini, in addition to the predicted string of characters, it also explained why the password it generated was secure and told me to trust it.

For example, here’s an aside from Gemini that accompanied one of the passwords generated above:

Sure, calculating bits of entropy is a way to determine password strength for a single password, but Gemini generated five passwords in a row with the exact same character-type sequence. The AI did not create truly random passwords that do not follow human-readable patterns. After all, you and I were able to detect the pattern pretty quickly, right?

Unfortunately, Gemini isn’t the only LLM creating batches of similar passwords. Researchers at Irregular tested several chatbots and found that each one created passwords with clear patterns.

Password Managers Do What AI Can't

Don’t accept messages promoting false security from software. Instead, use a password manager to generate and store your complex passwords for all of your online accounts. You can also create your own random password generator using Excel or Google Sheets, and store your passwords offline on a hardware security key.

At the heart of any password generator is a cryptographically secure pseudorandom number generator (CSPRNG), an algorithm that produces unpredictable sequences of numbers and characters. This isn’t an action that an LLM can mimic successfully, which is why it generates long, yet crackable passwords.

So, what is a password manager, and why should you use one to create all of your passwords in the future? These apps generate passwords for you and fill them in for all your accounts, so you don’t have to memorize them or type them in every time you log in.

I’ve tested and reviewed dozens of password managers, many of which are easy enough for absolutely anyone to use, and some of which offer free plans. The best password managers can import your existing passwords and offer suggestions for creating longer, stronger logins. Many password managers also include anti-phishing protection and tools to help you cut down on scam attempts and spam by signing up for accounts using fake email addresses.

Want to take things completely into your own hands? Check out our story on how to build your own password generator.

About Our Expert

Kim Key

Senior Writer, Security

My Experience

I review privacy tools like hardware security keys, password managers, private messaging apps, and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.

In addition to the categories below, I exclusively cover ad blockers, authenticator apps, hardware security keys, and private messaging apps.

The Technology I Use

I like testing new software for work, but I'm less "plugged in" to the internet than I used to be. I tend to read app privacy policies to see what kind of data companies collect, and as a result of those findings, I don't use many mobile apps. In a similar vein, I was an early adopter of many social media platforms, but now I’m just an infrequent Reddit lurker.

I'm a gear junkie. I split my work time between a 2021 Apple MacBook Pro and a Lenovo ThinkPad. I shoot most of my videos for PCMag using a Canon M50, a Sony A7iii, and a Sony a6000. I edit videos using Final Cut Pro and Adobe Premiere Pro.

I write all of my words for PCMag either in the MS Notepad app on my ThinkPad or the Notes app on my iPhone 12 mini. If I'm traveling and working, I use my iPad to write short articles or take notes.

My dad built me my first computer sometime in the late '90s, and I used it for reading Encyclopedia Britannica and writing Sailor Moon fan fiction. My first phone was the ubiquitous Nokia candy bar.

Read the latest from Kim Key

Read full bio