AI Passwords: A Hidden Danger Revealed by a Study
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
An Alarming Study on AI Passwords
In February 2026, a study conducted by Irregular highlighted a major issue regarding passwords generated by artificial intelligence. Large language models, or LLMs, such as those used by AIs like GPT, Claude, and Gemini, do not produce true randomness. Instead, they generate sequences of text that appear plausible but severely lack entropy. This characteristic makes these passwords predictable and therefore vulnerable to attacks.
The Predictability of AI Models
Thorough testing on the mentioned AI models revealed recurring patterns and duplicates in the generated passwords. This predictable structure creates a potential large-scale attack surface. Attackers can thus create "LLM-style" password lists using the same prompts that were used to generate the initial passwords.
Specific Vulnerabilities of AI Passwords
Passwords created by general-purpose AI systems exhibit several types of vulnerabilities. On one hand, there are mathematical vulnerabilities due to predictable patterns and insufficient entropy. On the other hand, systemic vulnerabilities arise, such as data centralization, query logging, and output reuse. Large language models are not designed to generate randomness but to produce text that seems correct based on what they have learned. When prompted to create a secure password, they do not aim to maximize unpredictability but to conform to a general idea of a good password, including an uppercase letter, a few numbers, and a symbol.
Understanding Entropy
Entropy is a measure of the complexity and unpredictability of a password. The higher the entropy, the harder it is to guess the password. For example, a password with only 20 bits of entropy would require about 1 million attempts to be guessed. In contrast, a password with 100 bits of entropy would require 2¹⁰⁰ attempts, an astronomical number that would make decryption practically impossible, even over billions of years.
Analysis of Recent Models
The Irregular study tested several recent models, including GPT, Claude, and Gemini. While some results appear solid, recurring patterns were observed. For instance, out of 50 generated passwords, all start with a letter, often a capital "G" followed by the number 7. No character repeats, which is improbable in a random draw. Furthermore, out of the 50 generated passwords, only 30 are unique, with the others being duplicates.
The Dangers of Standardization
The standardization of passwords generated by AI poses a significant risk. If a large number of users rely on the same public models to generate their passwords, it leads to very similar creations. This homogeneity provides fertile ground for large-scale attacks, where attackers can easily generate "LLM-style" password lists from the same prompts.
Recommendations for Enhanced Security
To address these vulnerabilities, it is advisable to use a password manager that incorporates a cryptographically secure random generator. Unlike general-purpose AIs, these tools are designed to produce truly unpredictable and unique strings. Additionally, enabling two-factor authentication is strongly recommended to limit damage in the event of a data breach.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.