Consider a simple question. If a strong password is needed, is it appropriate to ask an AI tool to generate one?
At first glance, it seems like a logical approach.
Tools such as ChatGPT and Microsoft Copilot are capable of producing detailed reports, drafting communications, and even generating code. Asking for a complex password made up of letters, numbers, and symbols can appear to be an efficient shortcut.
However, this is one area where caution is required.
Recent research examined how AI systems perform when asked to generate secure passwords. On the surface, the results appeared strong. The passwords were long, included a mix of character types, and scored well when tested using common online strength checkers. In some cases, these tools suggested that the passwords would take an extremely long time to crack.
A deeper analysis revealed a different outcome.
AI systems are based on large language models, which are designed to predict and generate text that appears natural and coherent. While this makes them highly effective for communication tasks, they are not designed to produce true randomness.
Strong passwords rely on randomness.
When researchers evaluated multiple AI-generated passwords, they identified repeating patterns and structural similarities. Some outputs were even duplicated. A notable finding was that none of the generated passwords contained repeated characters. While that may appear to be a strength, true randomness often includes repetition. The absence of it indicates that the outputs are being shaped by learned patterns rather than generated unpredictably.
To measure this, researchers assessed the entropy of the passwords, which reflects how unpredictable they are. The AI-generated examples scored significantly lower than a genuinely random password of the same length.
This has important implications.
Lower entropy means that passwords may be more vulnerable to brute-force attacks, where attackers attempt large numbers of possible combinations in rapid succession. Traditional password strength checkers may not detect this issue, as they focus on visible complexity rather than underlying patterns.
Even some advanced AI systems now include warnings advising users not to rely on AI-generated passwords for sensitive accounts. This reinforces the need to use purpose-built tools for security-critical functions.
For creating strong passwords, a password manager with a built-in generator remains the most effective approach. These tools use cryptographic methods specifically designed to produce unpredictable results, which is essential for maintaining security.
AI continues to be a valuable productivity tool across many areas of business. However, when it comes to foundational security controls such as password generation, it is not the appropriate solution.
Organizations should ensure that password management practices are supported by dedicated, security-focused tools rather than general-purpose AI systems.
If your business is reviewing its approach to password security or considering a standardized password management solution, it may be worth taking a more structured approach to ensure long-term protection.
