Recent studies have highlighted significant security concerns regarding passwords generated by large language models (LLMs). Despite appearing strong at first glance, these passwords often lack true randomness, exposing them to potential exploitation.
Understanding the Flaws in LLM-Generated Passwords
Traditional secure password generation uses a cryptographically-secure pseudorandom number generator (CSPRNG), ensuring each character has an equal chance of selection. However, LLMs like GPT, Claude, and Gemini operate by predicting likely subsequent tokens, which is inherently non-random.
This difference in methodology was evident in tests where patterns emerged across multiple iterations. For instance, among 50 tests with Claude Opus 4.6, only 30 unique passwords were generated, with one repeated 18 times, indicating high predictability.
Implications of Predictable Passwords
Such predictability poses a risk for users and developers alike, as coding tools may inadvertently introduce weak passwords into software systems. This is particularly problematic in environments where code is deployed without thorough review, allowing these vulnerabilities to go unnoticed.
Additionally, specific models exhibited consistent biases. GPT-5.2 often began passwords with ‘v’, while Gemini 3 Flash showed a preference for ‘K’ or ‘k’, further emphasizing the predictability problem.
Quantifying Password Weakness
Using Shannon entropy, a measure of password strength, researchers quantified these weaknesses. Ideally, a 16-character password should have 98 bits of entropy, making it highly resistant to brute-force attacks. In contrast, Claude Opus 4.6’s passwords averaged only 27 bits of entropy, and GPT-5.2’s longer passwords were even weaker, with just 20 bits.
Adjusting model settings did not resolve these issues. Even at maximum temperature settings, repeated patterns persisted, and lowering the temperature led to identical passwords every time, underscoring the systemic nature of the problem.
Recommendations for Enhanced Security
To mitigate these risks, security experts recommend auditing and replacing any credentials generated by AI tools. Developers should utilize cryptographically secure methods such as openssl rand or /dev/random and thoroughly review AI-generated code for hardcoded passwords before deployment.
Staying informed and vigilant about these security challenges is crucial. Follow us on Google News, LinkedIn, and X for more updates on cybersecurity and related topics.
