Most online services and apps require the user to create a password. Chances are many of those passwords are not being used daily and due to this overabundance, there’s a high probability that many of the passwords are being reused. Poor password management is compounded by a reliance on common combinations of names, dictionary words and numerals. Not only are these passwords relatively easy to decipher, but if a cybercriminal gains access to a password on one site, that could result in access to a plethora of other sites.
People are urged to create unique, random passwords to counter the vulnerability posed by using the same password multiple times. However, password creation and management can be an arduous task. To tackle the burden of password creation and management, people might be tempted to use large language models (LLMs) like ChatGPT, Llama or DeepSeek to generate their passwords.
The appeal is clear. Rather than struggling to come up with a strong password, users can simply ask AI, “Generate a secure password” and get an instant result. AI produces strings that look random, which helps avoid the human tendency to create predictable, dictionary-based passwords. But appearances can be deceptive, AI-generated passwords may not be as secure as they appear.
Alexey Antonov, Data Science Team Lead at Kaspersky, tested this by generating 1,000 passwords using some of the more prominent and trusted LLMs including ChatGPT (from OpenAI), Llama (model from Meta group), DeepSeek (newcomer from China).
“All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords,” says Antonov. “In practice, though, the algorithms often neglected to insert a special character or digits into the password: 26% of passwords for ChatGPT, 32% for Llama and 29% for DeepSeek. While DeepSeek and Llama sometimes generated passwords shorter than 12 characters.”
In 2024, Alexey Antonov developed a machine learning algorithm to test password strength and found that almost 60% of passwords can be cracked in under an hour using modern GPUs or cloud-based cracking tools. When applied to AI-generated passwords, the results were alarming, they were far less secure than they appeared: 88% of DeepSeek and 87% of Llama generated passwords were not strong enough to withstand attack from sophisticated cyber criminals. While ChatGPT did a little better with 33% of passwords not strong enough to pass the Kaspersky test.
“The problem is LLMs don’t create true randomness. Instead, they mimic patterns from existing data, making their outputs predictable to attackers who understand how these models work,” notes Antonov.
Adopt more secure password management
Rather than relying on AI, users should adopt dedicated password management software, such as Kaspersky Password Manager. These tools offer several key advantages.
First, this type of software uses cryptographically secure generators to create passwords with no detectable patterns, ensuring true randomness. Second, all credentials are stored in a secure vault, protected by a single master password. This eliminates the need to remember hundreds of passwords while keeping them safe from breaches.
Additionally, password managers provide auto-fill and synchronisation across devices, streamlining logins without compromising security. Many also include breach monitoring, alerting users if their credentials appear in a data leak.
While AI can assist with many tasks, password generation is not one of them. The patterns and predictability of LLM-created passwords make them vulnerable to cracking. Instead of taking shortcuts, invest in a reputable password manager, your first line of defense against cyber threats. In an era where data breaches are rampant, a strong, unique password for every account is non-negotiable.
