Kaspersky issues warning against using AI to generate passwords
Seeing how persistent hackers are these days and the fact that the best practice for creating a legitimate password requires a combination of numbers, letters, alphanumeric symbols as well as upper and lower case, people are now resorting to using large language models (LLM) like ChatGPT, DeepSeek and the like to actually help generate their passwords but this may not be as secure as it appears at first glance.
Much like how people tend to have a natural bias towards creating passwords that use words they are familiar with, AI generated passwords surprisingly have this tendency too. To test this, the team at Kaspersky got the more popular LLMs such as Llama, ChatGPT and Deepsek to generate 1,000 passwords.
What happens when you use AI to generate passwords?
Ideally, a proper password generator would be able to create a completely random password without any bias or preference for any symbol, letter or number with at least 12 characters. According to Alexey Antonov, Data Science Team Lead at Kaspersky,“All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords.” Unfortunately, this isn’t exactly the case when tested.
Alexey Antonov, Lead Data Scientist at Kaspersky at a security briefing in Sri Lanka
He added that “DeepSeek and Llama sometimes generated passwords consisting of dictionary words, in which instead of some letters there are numbers of similar shape: S@d0w12, M@n@go3, B@n@n@7 (DeepSeek), K5yB0a8dS8, S1mP1eL1on (Lllama). Both of these models like to generate the password “password”: P@ssw0rd, P@ssw0rd!23 (DeepSeek), P@ssw0rd1, P@ssw0rdV (Llama). Needless to say, such passwords are not safe.”
Essentially, DeekSeek and Llama generate passwords that substitute words for symbols which makes it easier to brute force. When tested, ChatGPT does not have this weakness though larger datasets reveal that it has a tendency to favour the number 9 when generating passwords along with a noted preference for the letters x, p, I and L. In the case of Llama, the AI seems to love the hashtag # symbol as well as the letters p, I and L.
When using AI to generate passwords, the AIs also had a tendency to neglect inserting a special character or digits into a password to ensure that it meets minimum security standards – 26% of the passwords generated by ChatGPT, 32% for Llama and 29% for DeepSeek encountered this issue while both DeepSeek and Llama occasionally created passwords shorter than the mandated 12 characters for optimum security.
“The problem is LLMs don’t create true randomness. Instead, they mimic patterns from existing data, making their outputs predictable to attackers who understand how these models work”, notes Antonov. By recognising these quirks, threat actors can shorten the time for brute force dictionary attacks by selecting preferred or more frequent combinations of passwords.
As a field test of what happens when using AI to generate passwords, Antonov developed a machine learning algorithm to test password strength and found 60% of passwords can be cracked in under an hour using modern GPUs or cloud-based cracking tools. When applied on AI-generated passwords, the results were terrifying with 88% of DeepSeek and 87% of Llama as well as 33% of ChatGPT’s passwords unable to pass Kaspersky’s algorithm test and by extension would be easy prey for a sufficiently persistent cybercriminal.
Needless to say, using AI to generate passwords is a recipe for disaster and you need the right tools for the right job, which is why Kaspersky are advocating for their Kaspersky Password Manager that ensures your passwords remain secure, are generated with true randomness and streamlines logins across devices. You can check it out here.