People who used computer-generated passwords urged to change them immediately
You could be putting your accounts at risk
Featured Image Credit: SEAN GLADWELL / Getty
Top-notch cybersecurity has become non-negotiable for protecting your accounts, money and personal data from hackers and scammers.
Security experts advise against using common passwords that many Gen-Z users rely on, as well as avoiding any personal information like birthdays or family names. One robust method for creating strong passwords is to use a password generator that generates random combinations and stores them in a single, secure, encrypted location.
Another option many users have deemed safe is using artificial intelligence to choose passwords.
Advert
After all, AI can quickly produce passwords and confidently assures you that the output is strong.
But security lab Irregular co-founder Dan Lahav is now issuing urgent warnings that if you've used AI to create passwords, you need to change them right away.
New research revealed that all three major models, including ChatGPT, Claude, and Gemini, produced highly predictable passwords.
Speaking to Sky News, Lahav said: "You should definitely not do that. And if you've done that, you should change your password immediately. And we don't think it's known enough that this is a problem."
Large language models (LLMs) have predictable patterns in their generated passwords, allowing sophisticated hacking tools to guess them almost immediately.
Rather than generating truly random passwords, they create results based on patterns found in their training data.
When Irregular tested 50 passwords generated by Anthropic's Claude AI, they discovered only 23 unique combinations. The password K9#mPxvL2nQ8wR appeared 10 times. Other examples included K9#mP2vL5nQ8@xR, K9mP2vL#nX5qR@j, and K9mPx2vL#nQ8wFs.
OpenAI's ChatGPT and Google's Gemini AI showed slightly more variation in their outputs but still produced duplicated passwords and predictable sequences.
The problem is that online password checking tools rate these passwords as extremely strong, with one checker (verified by Sky News) estimating that a Claude-generated password would take a computer 129 million trillion years to crack. But the assessments are inaccurate as the checkers don't recognise the underlying patterns between the generated passwords.
"Our best assessment is that currently, if you're using LLMs to generate your passwords, even old computers can crack them in a relatively short amount of time," Lahav added.
The problem goes beyond passwords, as developers who increasingly rely on AI to write significant portions of their code potentially introduce these weak password patterns into software applications.
Robert Hann, global VP of technical solutions at Entrust, pointed out that there are 'stronger and easier authentication methods' out there and recommends using passkeys such as face and fingerprint ID wherever possible.
If not, reliable tools like Google Password Manager can generate strong, secure passwords. Or you can go old school and create a long, memorable password yourself. But whatever you do, don't ask AI for help.