Can AI Generate a Secure Password?

Here's a question worth asking: if you needed a strong password today, would you trust AI to create one for you?

At first glance, it seems like a sensible idea.

Tools such as ChatGPT, Copilot and Gemini can draft emails, write reports and even generate code. Asking AI to come up with a 16-character password packed with symbols, numbers and uppercase letters feels like a quick win.

The problem is that strong passwords aren't just about complexity. They're about randomness.

Recent research put several AI tools to the test by asking them to generate secure passwords. On the surface, the results looked impressive. The passwords were long, included a mix of character types and scored highly when checked using online password strength tools.

But a closer look revealed a different story.

Large Language Models (LLMs) like ChatGPT are designed to predict patterns in text. That's what makes them so effective at producing human-like responses. What they're not designed to do is generate truly random data.

And that's where the issue lies.

When researchers analysed AI-generated passwords, they found noticeable patterns. Some passwords shared similar structures, while others were even duplicated. Interestingly, none of the generated passwords contained repeating characters.

That might sound like a positive, but genuine randomness often includes repetition. The absence of repeated characters suggests the AI is following learned patterns rather than producing completely unpredictable results.

Researchers also measured the passwords' entropy – a technical term used to describe unpredictability. The AI-generated passwords scored significantly lower than a genuinely random 16-character password would be expected to achieve.

In practical terms, that means attackers using automated password-cracking tools could potentially guess these passwords faster than their apparent complexity would suggest.

The challenge is that most online password checkers only assess visible complexity. They look for length, symbols, numbers and mixed-case letters, but they don't identify hidden patterns that may make a password easier to crack.

Even some of the latest AI models now warn users against relying on AI-generated passwords for important accounts, recommending dedicated password-generation tools instead.

The safest approach remains using a reputable password manager with a built-in password generator. These tools use cryptographic randomness, specifically designed to create passwords that are genuinely unpredictable.

AI is an incredibly useful business tool and has earned its place in the workplace. But when it comes to something as important as password security, it's still better to rely on tools built for that specific purpose.

If you'd like advice on password managers, multi-factor authentication or improving your organisation's cyber security, we are here to help.

Written by Ruaridh Anderson, Graduate Cyber Security Apprentice at GSP Digital Solutions.