Generative AI is super useful but should you rely on these tools to generate passwords? In conjunction with World Password Day, Kaspersky has analysed 1,000 passwords generated with various AI tools including ChatGPT, DeepSeek and Llama to find out if they are any good in keeping your logins safe.
As a general rule of thumb, you should avoid reusing the same password across multiple accounts as attackers can reuse the same password to gain access to other platforms. While it is tempting to use AI to generate random passwords, it turns out that the supposed random passwords aren’t as random as you think.
AI-generated passwords don’t offer True Randomness
Kaspersky’s Data Science Team Lead, Alexey Antonov, had generated 1,000 passwords using the top large language models (LLMs) such as OpenAI’s ChatGPT, Meta’s Llama and China’s DeepSeek. On the surface, the LLMs seem to be aware that a good password requires at least 12 characters with a mixture of uppercase and lowercase letters, numbers and symbols.
DeepSeek and Llama tend to generate passwords using dictionary words with some letters substituted for characters such as S@d0w12, M@n@go3, B@n@n@7 (DeepSeek), K5yB0a8dS8 and S1mP1eL1on (Lllama). These passwords are deemed unsafe as the trick of substituting letters is known and they are not difficult to brute force.
On the surface, ChatGPT seems to be better as it is able to generate more random-looking passwords such as qLUx@^9Wp#YZ, YLU@x#Wp9q^Z , P@zq^XWLY#v9 and X@9pYWq^#Lzv. However, if you look closer, there’s a noticeable pattern where certain characters are used repeatedly such as X, p and 9.
When all symbols used in the 1000 ChatGPT-generated passwords are illustrated in a histogram, it becomes clear that a small cluster of characters (x,p, I, L, q, y, @, v, w, X, Y, 9, #) are showing significantly higher frequency. This means the majority of passwords generated aren’t as random as one would hoped for.
Llama seems to show slightly better “randomness” , while DeepSeek’ seems to be the best among the three with the most balanced-looking histogram for character frequency.
What makes a good password?
According to Kaspersky, an ideal random password generator should not have any character preference. All symbols and characters should appear approximately the same number of times.
In addition, a good password should also include a special character or digits, which are often neglected by ChatGPT (26%), Llama (32%) and DeepSeek (29%).
Another concern is that DeekSeek and Llama sometimes tend to generate a password that’s too short, with less than 12 characters.
With the known password generated pattern as illustrated above, cyber criminals can speed up their password brute force attempts by starting with the most frequent combinations for a higher probability of success.
Last year, Antonov developed a machine learning algorithm to test password strength and it was found that nearly 60% of passwords can be cracked within an hour using modern GPUs or cloud-based cracking tools. When he applied the same algorithm for AI-generated passwords, he discovered that these passwords were far less secure.
88% of DeepSeek and 87% of Llama generated passwords were not strong enough to withstand a sophisticated cyber attack. Meanwhile, ChatGPT did performed better with 33% of generated passwords deemed not strong enough to pass the Kaspersky test.
Antonov added that the problem with LLMs is that they don’t create true randomness. Instead, they mimic patterns from existing data, which makes these password outputs predictable to attackers who understands how these models work.
Instead of using AI, Kaspersky recommends users to adopt dedicated password management software which include Kaspersky’s Password Manager to generate and manage all passwords. Password managers uses cryptographically secure generators to create passwords without detectable patterns to ensure true randomness. On top of that, all credentials are stored in a secured vault protected by a single master password. As a result, you would only need to remember one password for the vault, instead of having to remember hundreds of passwords for various platforms.
For greater convenience, password managers also offer auto-fill and synchronisation across multiple platform. Not only it helps to streamline the login process on all your devices without compromising on security but it also alerts you of potential data leak if one of your registered platforms has faced a data breach.
[ IMAGE SOURCE ]
