Let me start with a question: if you needed a strong password, would you ask AI to generate one for you?
It sounds reasonable enough. In fact, for most people, it probably sounds like exactly the kind of thing AI should be good at.
Tools like ChatGPT and Copilot have integrated themselves into the day-to-day workflows of many businesses. They can write reports, summarize documents, draft emails, and produce working bits of code in seconds. If they can handle all of that, surely knocking out a 16-character password packed with symbols and numbers is trivial by comparison. It feels like just another problem to delegate to AI and stop worrying about.
You might want to rethink that mindset. Because when it comes to passwords, AI has a fundamental limitation that no amount of capability can fix.
Researchers recently put AI tools to the test by asking them to generate secure passwords for protecting sensitive accounts or business systems. On the surface, the results looked impressive. The passwords were long, mixed upper and lower case letters with numbers and symbols scattered throughout. They looked exactly like what a strong password is supposed to look like.
When those passwords were run through popular online password strength checkers, they scored highly. Some tools confidently declared that it would take centuries, or even millennia, for an attacker to crack them. On every visible measure, the AI appeared to be doing its job perfectly.
But when security researchers dug deeper and analyzed the passwords using more rigorous methods, a very different picture emerged. What looked strong on the surface was considerably weaker underneath, and the reason why tells you something important about how AI actually works.
AI systems are powered by something called a large language model, or LLM. At their core, these models are trained to predict what text should come next based on patterns learned from vast amounts of data. That's what makes them so impressive at writing, summarizing, and generating human-like responses. They are extraordinarily good at producing output that looks natural, coherent, and plausible, and that is the exact reason why AI cannot create a good password.
Strong passwords don't need to look plausible. They don't need to follow any pattern at all. In fact, the whole point is that they shouldn't. What makes a password secure is true randomness, a set of characters that is completely unpredictable, with no underlying structure that an attacker could exploit.
LLMs are not designed to produce true randomness. They're made for producing likely, pattern-consistent output. No matter how sophisticated the model, they cannot deviate from what their programming allows them to do. When AI generates a password, it is drawing on learned patterns to construct something that resembles randomness, which is a very different thing from being random.
When researchers examined dozens of AI-generated passwords, the consequences of this became clear. They found repeating patterns across passwords. Some outputs were near-identical. Many followed very similar structural templates between eachother, a cluster of letters here, a number sequence there, a symbol in a predictable position.
One particularly telling finding was that none of the AI-generated passwords contained repeating characters. That might sound like a sign of quality, but it's actually the opposite. Genuine randomness includes natural repetition in it's output. The complete absence of repeating characters is a signal that the AI was following learned rules about what a "good" password looks like, rather than generating output that is truly unpredictable.
To understand why this is a serious problem, it helps to know about a concept called entropy. In the context of passwords, entropy is a technical measure of unpredictability: how many possible combinations does an attacker need to try before guessing your password correctly? The higher the entropy, the harder your password is to crack.
When researchers measured the entropy of AI-generated passwords, they found it fell significantly short of what a genuine 16-character random password should deliver. Despite looking complex, the passwords were statistically more predictable than they appeared because the patterns baked into them by the AI reduced the number of realistic combinations an attacker would need to test.
This matters enormously in the context of brute-force attacks. In a brute-force attack, an attacker uses automated tools to try enormous numbers of password combinations in rapid succession. Modern hardware can attempt billions of guesses per second. If your password follows even the most subtle patterns, they can be built into the attack, dramatically narrowing the search space and cutting the time to crack it from centuries to something far more achievable.
The passwords that AI generates may not be as weak as using your pet's name and birthday, but they are measurably weaker than the alternatives available to you.
One of the most concerning aspects of this issue is that standard online password strength checkers will not flag the problem. These tools assess passwords based on visible characteristics like length, the presence of uppercase letters, numbers, and special characters. By those measures, AI-generated passwords often score very well.
What these checkers cannot see are the hidden structural patterns that undermine the password's true strength. They have no way to detect that the output came from an LLM, or that the apparent complexity is underpinned by learned patterns rather than genuine unpredictability. A password can pass every surface-level check and still be significantly easier to crack than a properly random equivalent.
This means users relying on AI-generated passwords may gain a false sense of security from using these strength checkers, believing they are well protected when they are not. And that false confidence can be more dangerous than knowing you have a weak password.
It is worth noting that some of the most capable AI models are now acknowledging this limitation themselves. Newer models, including Gemini 1.5 Pro, have begun issuing cautions when users ask them to generate passwords, advising that chat-generated credentials should not be relied upon for sensitive accounts.
When the AI tools themselves are telling you not to trust AI-generated passwords, that should carry some weight. It is not a limitation that will be engineered away with the next model update, it is a direct consequence of what LLMs fundamentally are.
If you want passwords that are genuinely secure, the answer is a dedicated password manager with a built-in password generator.
Unlike AI, these tools use cryptographic randomness, a system designed to produce output with no discernible pattern. The entropy is authentic and as high as it should be. And because the password is stored securely within the manager, you don't need to remember it or write it down.
A good password manager will also generate a unique password for every account, ensure no two passwords are alike, and alert you if any of your credentials appear in a known data breach. For businesses in particular, they offer additional features around team access, auditing, and policy enforcement.
AI is a powerful tool, and there are many areas where it can save time, improve output, and add real value to your business. Password generation is not one of them.
When it comes to security essentials, the standard has to be higher than "looks right." Passwords need to be mathematically unpredictable, and that is something AI, by its very nature, is not built to deliver.
Use the right tool for the job. Your business's security depends on it.
If you'd like help choosing the right password manager for your business, get in touch.