Don’t let an AI chatbot pick your password, ever


Asterisk of password line with burning fuse as a symbol of data breach.

Boris Zhitkov/Moment/Getty Images

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • AI chatbots aren’t reliable security tools.
  • AI-generated passwords may be predictable and easy to crack.
  • Use trusted password generators for stronger, unique passwords.

The last thing you want is for your password to be predictable.

Hopefully, most of us no longer use phrases and character strings that used to be common, such as QWERTY or Password1. Many online services now require users to use complex combinations of letters, numbers, and symbols, and may even check for data breaches and data dumps to make sure you’re not reusing the same password across multiple services.

Coming up with these combinations can be an annoying and time-consuming process, and it may seem like asking popular AI chatbots and models such as Claude, ChatGPT, and Gemini to generate them for you is a sensible and secure alternative — but new research into the true ‘randomness’ of their answers brings this into question.

AI-suggested passwords can fall into patterns

According to research conducted earlier this year by Irregular, popular AI chatbots such as Claude, ChatGPT, and Gemini tend to produce passwords that aren’t truly random.

Also: Is that QR code a trap? How to spot quishing scams before it’s too late

After testing these models with 50 password-generation requests, the researchers found “noticeable patterns” indicating that the passwords didn’t fit the definition of truly random, secure credentials.

For example, when testing Claude, the researchers found that every password started with a letter and was usually followed by the number 7. The same letters and numbers were often used in each request, no characters were repeated (as this goes against the AI’s preferred output format), and some letters in the alphabet, as well as symbols, never appeared at all.

In total, the team says that, in this case alone, only 30 ‘unique’ passwords were generated from 50 prompts. One of the passwords, G7$kL9#mQ2&xP4!w, was repeated often enough that there was a 36% probability of it appearing in the dataset.

It is important to note that the prompt “please generate a password” was used in the research and that refining the prompt could yield better results. However, the average AI chatbot user probably wouldn’t craft sophisticated prompts for these tasks, especially given that better options are available, like password managers and passkeys.

Why ‘random-looking’ and ‘random’ are not the same

G7$kL9#mQ2&xP4!w” — this looks secure, right? But the data from the test tells a different story.

Things that ‘look’ secure and ‘are’ secure are very different. Strong password generators rely on cryptographically secure pseudorandom number generators (CSPRNGs), algorithms that generate unpredictable numbers and letters far removed from any pattern or predictability.

Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think

As noted by Malwarebytes, cyberattackers today often perform dictionary attacks: automated cracking attempts based on lists of commonly used passwords. It wouldn’t take much to add a few thousand more AI-generated combinations, which would further reduce their security.

Predictability and probability are the problems. By design, AI is meant to find patterns, predict the next steps in tasks, and use logic. These bots often get things wrong, and even if they tell you a password is strong and unique, we shouldn’t bet our account security on what AI claims.

What actually generates strong, random passwords

I recommend using a password manager to handle the complexities of generating strong, complex credentials for your online accounts. If you pick the right service, you won’t have to worry about remembering scores of letters, numbers, and symbols — your passwords are securely stored for you, and you might even just need a thumbprint or a single password to access your vault.

Also: Microsoft goes all in on new AI-powered Windows security strategy

At the very least, use a password generator that lets you generate long strings of characters and includes lower- and uppercase letters, numbers, and symbols. Preferably, it should also have a meter that shows you the strength of a generated password.

We should remember that AI is based on large language models trained to recognize and adopt patterns. They aren’t standalone, foolproof security solutions, and they can’t be trusted to always provide correct results. This includes supposedly random passwords.





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


YouTube has an AI slop problem, and its crackdown is catching legitimate creators in the crossfire. Faceless channels, where no human host ever appears on screen, have existed for years and are not inherently AI-generated.

Many are run by solo creators who simply prefer to stay anonymous. The problem is that AI tools made it easy to flood the platform with low-effort faceless content at scale, and YouTube’s algorithm is now penalizing the format as a whole.

How bad is the AI slop problem on YouTube?

A Kapwing study found that roughly 21% of the first 500 videos recommended to a new YouTube account were classified as AI slop, while 33% fell into a broader brainrot category. The problem extends to children, too, as more than 40% of YouTube Shorts recommended to kids in a 15-minute session contained low-quality AI content.

YouTube’s response has been to tweak its algorithm to favor videos with real human faces on camera, which is hitting faceless creators even when their content is entirely human-made.

How is YouTube tackling its AI slop problem?

YouTube is now testing a new pop-up on mobile that asks viewers to rate whether a video feels like AI slop, on a scale from “not at all” to “extremely.” The idea sounds reasonable, but crowdsourcing AI detection has real problems. People are bad at spotting AI content, and they are getting worse at it as AI capabilities continue to improve.

There are also legitimate concerns that YouTube could use this viewer feedback as training data for its own AI models, potentially making future AI-generated content even harder to spot.

🚨 Did you just see what YouTube did?

YouTube isn’t banning AI slop.. They’re making you label it so they can train their next model to not look like slop.

Read that again…

You flag the bad AI content. YouTube collects it. Google feeds it into Veo 4… Then next year their… https://t.co/8UC2J3mjjv pic.twitter.com/mIrTChqC1b

— Tuki (@TukiFromKL) March 17, 2026

Meanwhile, faceless creators are scrambling to adapt. According to The Hollywood Reporter, some are hiring cheap on-camera hosts through platforms like Fiverr and Upwork. Others are doubling down on niche educational content, which has held up better than broad content farms.

The AI text-to-video space is still valued at enormous sums, with Higgsfield AI alone sitting at $1 billion, but on YouTube, the math for faceless creators is getting harder to work out every month.



Source link