Full Report
Cyber experts have warned against using AI to generate passwords after research found glaring security failures. Analysis from cybersecurity firm Irregular found a host of popular AI chatbots, including ChatGPT, Claude, and Google Gemini produced highly predictable passwords. A key factor behind this, the study noted, is that large language models (LLMs) generate passwords based on recognizable patterns, rather than in the randomized manner…
Analysis Summary
# Best Practices: Secure Password Generation & LLM Risks
## Overview
Recent analysis from cybersecurity firm Irregular confirms that Large Language Models (LLMs) like ChatGPT, Claude, and Gemini are unsuitable for password generation. Because LLMs predict tokens based on probable human patterns rather than mathematical randomness (entropy), they produce highly predictable credentials that are vulnerable to automated "brute-force" or "dictionary" attacks tailored to AI output. This guide provides instructions on moving away from AI-generated credentials toward cryptographically secure alternatives.
## Key Recommendations
### Immediate Actions
1. **Stop Using LLMs for Credentials:** Cease the use of all AI chatbots for generating passwords, PINs, or secret keys.
2. **Audit Current Passwords:** Identify any passwords previously created using AI and change them immediately.
3. **Adopt a Password Manager:** Deploy a reputable password manager that utilizes a **Cryptographically Secure Pseudorandom Number Generator (CSPRNG)** to create passwords.
### Short-term Improvements (1-3 months)
1. **Enable Multi-Factor Authentication (MFA):** Implement MFA across all business and personal accounts to provide a second layer of defense against predictable passwords.
2. **Employee Training:** Conduct a brief security awareness session explaining why LLMs fail at randomness and the risks of "pattern-based" credentials.
3. **Update Password Policies:** Formalize policies stating that credentials must be generated by approved technical tools, not AI assistants.
### Long-term Strategy (3+ months)
1. **Transition to Passkeys:** Phased migration toward FIDO2/WebAuthn (Passkeys) to eliminate the reliance on passwords entirely.
2. **Implementation of SSO:** For organizations, integrate Single Sign-On (SSO) to reduce the number of individual passwords employees need to manage.
3. **Automated Credential Rotation:** For service accounts, implement automated rotation via secrets management vaults.
## Implementation Guidance
### For Small Organizations
- Use built-in browser password generators (e.g., Google Chrome or Apple Keychain) if a dedicated enterprise manager is budget-prohibitive.
- Prioritize securing the primary email account and any financial portals with hardware security keys (e.g., YubiKey).
### For Medium Organizations
- Deploy an organization-wide password manager (e.g., Bitwarden or 1Password) to centralize credential management.
- Enforce MFA requirements via a central identity provider.
### For Large Enterprises
- Implement "Zero Trust" architecture where possible.
- Use Enterprise Secret Management tools (e.g., HashiCorp Vault) for developer workflows to ensure API keys and secrets are never "guessed" or generated by LLMs.
- Use Data Loss Prevention (DLP) tools to monitor and block prompts to LLMs that involve sensitive credential generation.
## Configuration Examples
**Recommended Password Structure (Non-AI):**
Instead of asking an AI for a "strong password," use a system that generates a 16+ character random string:
- **Incorrect (AI Pattern):** `Blue@Dog!2024` (Predictable pattern)
- **Correct (CSPRNG):** `jx7#9L!vP2$mqZ8*r` (High entropy)
**Password Manager Settings:**
- **Length:** Minimum 16 characters.
- **Composition:** Include uppercase, lowercase, numbers, and symbols.
- **Avoid:** Dictionary words or "Leetspeak" substitutions (e.g., P@ssw0rd).
## Compliance Alignment
- **NIST SP 800-63B:** Guidelines on Digital Identity, emphasizing high-entropy secrets.
- **ISO/IEC 27001:** Controls for access management and secure password use.
- **CIS Controls (Control 6):** Focuses on access control and the use of unique, complex passwords for all accounts.
## Common Pitfalls to Avoid
- **The "False Sense of Security" Trap:** Believing that a password is safe because it is long, even if it was generated by an AI that follows human logic patterns.
- **Prompt Injection Risks:** Sending sensitive data to an LLM while asking it to generate a password, which may store that data in its training set.
- **Reuse:** Using the same AI-generated password across multiple platforms.
## Resources
- **NIST Password Guidelines:** [nist[.]gov/publications/special-publications]
- **OWASP Password Strength Guidelines:** [owasp[.]org/www-community/password-strength]
- **CISA Guidance on MFA:** [cisa[.]gov/mfa]