Research from Irregular found that passwords generated by LLMs are predictable and easy to guess, with the same passwords being generated for multiple users

Research from Irregular found that passwords generated by LLMs are predictable and easy to guess, with the same passwords being generated for multiple users

Vibe Password Generation: Predictable by Design - Irregular

LLM-generated passwords appear strong, but are fundamentally insecure. Testing across GPT, Claude, and Gemini revealed highly predictable patterns: repeated passwords across runs, skewed character distributions, and dramatically lower entropy than expected. Coding agents compound the problem by sometimes preferring and using LLM-generated passwords without the user’s knowledge. We recommend avoiding LLM-generated passwords and directing both models and coding agents to use secure password generation methods instead.

(www.irregular.com)

@campuscodi Dang. The make-stuff-up machines aren't even good at making stuff up.

@campuscodi One would imagine that the machines built entirely around statistically picking the next most likely thing would generate the worst possible passwords.

@campuscodi yeah, that's why I have my agents call #openssl
openssl rand -base64 48

@campuscodi why.would.somebody.use.an.llm.to.generate.a.password

@campuscodi why are people using LLMs to select passwords?! ‍️ I would expect password reuse by humans, but even the computers can’t practice proper #password hygiene!

To be fair passwords are a human problem not a machine problem…