I’m a bit of a broken record when it comes to personal security on the internet: Make strong passwords for each account; never reuse any passwords; and sign up for two-factor authentication whenever possible. With these three steps combined, your general security is pretty much set. But how you make those passwords matters just as much as making each strong and unique. As such, please don’t use an AI program to generate your passwords.
If you’re a fan of chatbots like ChatGPT, Claude, or Gemini, it might seem like a no-brainer to ask the AI to generate passwords for you. You might like how they handle other tasks for you, so it might make sense that something seemingly so high-tech yet accessible could produce secure passwords for your accounts. But LLMs (large language models) are not necessarily good at everything, and creating good passwords just so happens to be among those faults.
AI-generated passwords are not secure
As highlighted by Malwarebytes Labs, researchers recently investigated AI-generated passwords, and evaluated their security. In short? The findings aren’t good. Researchers tested password generation across ChatGPT, Claude, and Gemini, and discovered that the passwords were “highly predictable” and “not truly random.” Claude, in particular, didn’t fare well: Out of 50 prompts, the bot was only able to generate 23 unique passwords. Claude gave the same password as an answer 10 times. The Register reports that researchers found similar flaws with AI systems like GPT-5.2, Gemini 3 Flash, Gemini 3 Pro, and even Nano Banana Pro. (Gemini 3 Pro even warned the passwords shouldn’t be used for “sensitive accounts.”)
The thing is, these results seem good on the surface. They look uncrackable because they’re a mix of numbers, letters, and special characters, and password strength identifiers might say they’re secure. But these generations are inherently flawed, whether that’s because they are repeated results, or come with a recognizable pattern. Researchers evaluated the “entropy” of these passwords, or the measure of unpredictability, with both “character statistics” and “log probabilities.” If that all sounds technical, the important thing to note is that the results showed entropies of 27 bits and 20 bits, respectively. Character statistics tests look for entropy of 98 bits, while log probabilities estimates look for 120 bits. You don’t need to be an expert in password entropy to know that’s a massive gap.
Hackers can use these limitations to their advantage. Bad actors can run the same prompts as researchers (or, presumably, end users) and collect the results into a bank of common passwords. If chatbots repeat passwords in their generations, it stands to reason that many people might be using the same passwords generated by those chatbots—or trying passwords that follow the same pattern. If so, hackers could simply try those passwords during break-in attempts, and if you used an LLM to generate your password, it might match. It’s tough to say what that exact risk is, but to be truly secure, each of your passwords should be totally unique. Potentially using a password that hackers have in a word bank is an unnecessary risk.
It might seem surprising that a chatbot wouldn’t be good at generating random passwords, but it makes sense based on how they work. LLMs are trained to predict the next token, or data point, that should appear in a sequence. In this case, the LLM is trying to choose the characters that make the most sense to appear next, which is the opposite of “random.” If the LLM has passwords in its training data, it may incorporate that into its answer. The password it generates makes sense in its “mind,” because that’s what it’s been trained on. It isn’t programmed to be random.
It’s not hard to make a secure password
Meanwhile, traditional password managers are not LLMs. Instead, they are designed to produce a truly random sequence, by taking cryptographic bits and converting them into characters. These outputs are not based on existing training data and follow no patterns, so the chances that someone else out there has the same password as you (or that hackers have it stored in a word bank) is slim. There are plenty of options out there to use, and most password managers come with secure password generators.
But you don’t even need one of these programs to make a secure password. Just pick two or three “uncommon” words, mix a few of the characters up, and presto: You have a random, unique, and secure password. For example, you could take the words “shall,” “murk,” and “tumble,” and combine them into “sH@_llMurktUmbl_e.” (Don’t use that one, since it’s no longer unique.)
Passkeys may be even more secure than passwords
If you’re looking to boost your personally security even further, consider passkeys whenever possible. Passkeys combine the convenience of passwords with the security of 2FA: With passkeys, your device is your password. You use its built-in authentication to log in (face scan, fingerprint, or PIN), which means there’s no password to actually create. Without the trusted device, hackers won’t be able to break into your account.
Not all accounts support passkeys, which means they aren’t a universal solution right now. You’ll likely need passwords for some of your accounts, which means abiding by proper security methods to keep things in order. But replacing some of your passwords with passkeys can be a step up in both security and convenience—and avoids the security pitfalls of asking ChatGPT to make your passwords for you.
