Don't let an AI chatbot pick your password, ever
Follow ZDNET: Add us as a preferred source on Google.

Follow ZDNET: Add us as a preferred source on Google.
The last thing you want is for your password to be predictable.
Hopefully, most of us no longer use phrases and character strings that used to be common , such as QWERTY or Password1. Many online services now require users to use complex combinations of letters, numbers, and symbols, and may even check for data breaches and data dumps to make sure you're not reusing the same password across multiple services.
Coming up with these combinations can be an annoying and time-consuming process, and it may seem like asking popular AI chatbots and models such as Claude, ChatGPT, and Gemini to generate them for you is a sensible and secure alternative -- but new research into the true 'randomness' of their answers brings this into question.
According to research conducted earlier this year by Irregular , popular AI chatbots such as Claude, ChatGPT, and Gemini tend to produce passwords that aren't truly random.
Also: Is that QR code a trap? How to spot quishing scams before it's too late
After testing these models with 50 password-generation requests, the researchers found "noticeable patterns" indicating that the passwords didn't fit the definition of truly random, secure credentials.
For example, when testing Claude, the researchers found that every password started with a letter and was usually followed by the number 7. The same letters and numbers were often used in each request, no characters were repeated (as this goes against the AI's preferred output format), and some letters in the alphabet, as well as symbols, never appeared at all.
In total, the team says that, in this case alone, only 30 'unique' passwords were generated from 50 prompts. One of the passwords, G7$kL9#mQ2&xP4!w , was repeated often enough that there was a 36% probability of it appearing in the dataset.
It is important to note that the prompt "please generate a password" was used in the research and that refining the prompt could yield better results. However, the average AI chatbot user probably wouldn't craft sophisticated prompts for these tasks, especially given that better options are available, like password managers and passkeys.
" G7$kL9#mQ2&xP4!w " -- this looks secure, right? But the data from the test tells a different story.
Things that 'look' secure and 'are' secure are very different. Strong password generators rely on cryptographically secure pseudorandom number generators ( CSPRNGs ), algorithms that generate unpredictable numbers and letters far removed from any pattern or predictability.
Source: ZDNet