Let me start with a question: if you needed a strong password, would you ask AI to generate one for you?
It sounds reasonable enough.
Tools like ChatGPT and Copilot can write reports, draft emails and even create code. Asking them to generate a secure password feels like a smart shortcut.
But when it comes to protecting your business, it’s a shortcut worth avoiding.
Researchers recently tested AI tools by asking them to generate secure passwords.
At first glance, the results looked impressive. Long strings of mixed-case letters, numbers and symbols that appeared highly secure. Some even scored exceptionally well when tested against online password strength checkers.
But a closer examination revealed a different story.
AI systems are powered by Large Language Models (LLMs), which are designed to predict patterns in text. That’s what makes them so effective at writing content, answering questions and generating useful responses.
However, strong passwords rely on something entirely different: randomness.
And randomness is not what AI was built to create.
A password’s strength depends on how unpredictable it is.
The more random the password, the harder it becomes for cybercriminals to crack using automated tools and brute-force attacks.
When researchers analysed AI-generated passwords, they found recurring patterns and similarities between outputs. Some passwords even shared common structures despite being generated independently.
One particularly interesting finding was that many AI-generated passwords avoided repeating characters altogether.
While that may sound like a positive feature, true randomness often includes repetition. The consistent absence of repeated characters suggests the AI is following learned rules rather than producing genuinely unpredictable results.
Researchers also measured password entropy, which is a way of calculating unpredictability.
The results showed that many AI-generated passwords had significantly lower entropy than a truly random password of the same length.
In simple terms, they may be easier to crack than they appear.
Many businesses rely on password strength meters to determine whether a password is secure.
The challenge is that these tools typically measure visible complexity rather than true randomness.
A password containing symbols, numbers and mixed-case letters may receive an excellent score even if it follows predictable patterns.
As a result, businesses can be left with a false sense of security.
What looks strong on the surface may not be nearly as resilient as expected when faced with modern password-cracking techniques.
The issue has become significant enough that some AI platforms now caution users against relying on AI-generated passwords for sensitive accounts.
While AI excels at productivity, communication and automation, password security sits outside its strengths.
That alone should be a reminder that not every task should be handed over to AI.
If you need secure passwords, use a dedicated password manager with a built-in password generator.
These tools use cryptographic randomness specifically designed to create unpredictable credentials that are significantly more secure than passwords generated through pattern-based systems.
Combined with multi-factor authentication and strong access controls, password managers remain one of the simplest and most effective ways to strengthen your organisation’s security posture.
