PSA: Don’t Use AI to Create Passwords

AI Passwords

​Depending on what you do, AI can do a lot for your individual productivity. Given how effective some AI tools like ChatGPT and Gemini are at certain business tasks, like drafting emails, improving grammar, synthesizing information, or even writing or correcting code.

But recent research shows us one thing you shouldn’t use AI for: creating passwords. A clearer understanding of how these systems work can show you why.

Here’s what you need to know.

Why People Use AI for Password Creation

We’ve warned for more than a decade that using simple passwords is dangerous, and reusing them is even worse. Passwords that use your birthday, common patterns like 2468, or even the word “password” itself (yes, this really still happens) are easy to guess. When you reuse those easy passwords across multiple accounts, all it takes is one right guess and the bad guys could gain access to all sorts of information.

People hear that passwords need to be long, complex, and unique, but we humans aren’t good at thinking those up (let alone memorizing gibberish for every single login). So some people are turning to AI to do the thinking for them.

They ask their favorite AI tool to generate a complex password, and the AI spits out something that looks exactly like what they wanted. So they take that string of characters, move over to their browser, and copy it in. Then they let the browser save the details (or they copy it into a document or spreadsheet, which is its own kind of problem).

What’s Wrong With This Approach

The problem is, AI tools don’t do randomness. They predict patterns. At their core, all LLM-based tools are essentially guessing what the most likely next token (word part or bit of code) is based on the inputs received.

That means when you ask AI to create a random password, it breaks down what you mean and starts assembling an answer that is the most likely to be natural, plausible, and (hopefully) accurate.

Stated plainly: It’s not choosing random characters. It’s choosing the characters it thinks are most likely to please you.

That means over a large sample size, researchers don’t see randomness in AI-generated passwords. They see patterns.

One of these patterns is that AI usually won’t repeat a character in a password. But truly random passwords nearly always have a duplicate character.

Think about what that means: there’s a huge, obvious tell that a password was AI-generated. And brute-force attacks are substantially easier to execute when bad actors rule out the possibility of repeated characters.

Password Checkers Give AI a Pass, But You Shouldn’t

When you change your password or create a new account on just about any website, you’ll encounter a password strength check. If you create a new account on any major service and try to use “password” as your password, it won’t let you. It’ll require a certain length, a certain mix of letters, numbers, and symbols— that sort of thing.

These tools aren’t looking for true randomness or strength. They’re just looking for certain basic parameters, and AI-generated passwords meet that low threshold.

But you shouldn’t.

What to Use Instead

So, what should you do instead?

We recommend a business-grade password manager. These tools generate truly long, unique, complex passwords for every account. Then they securely store those passwords behind one master account password. As long as that master account remains secured, so do the dozens or hundreds of credentials stored within it.

We also stress implementing multi-factor authentication (MFA) on every account that allows it. This simple tactic requires something extra beyond a username and password, like a fingerprint or a one-time passcode. Even if scammers steal or crack your password, it’ll be nearly worthless without that other authentication factor.

Not sure how to do this safely without disrupting business? We can help. Give us a call anytime.