Generative Models Produce Weak Predictable Passwords

Irregular, an AI security firm, tested Claude, ChatGPT, Gemini and other models and found 16-character passwords that appear complex but follow common patterns. In 50 prompts to Claude only 30 outputs were unique, and measured entropies for LLM-generated passwords were roughly 20–27 bits versus expected 98–120 bits for truly random strings. Researchers warn such passwords could be brute-forced in hours and advise rotation.