People rely on ChatGPT, Llama and DeepSeek for password generation
On this World password day, Kaspersky has warned users against AI password generation as AI-generated passwords may not be as secure as they appear.
Poor password management is compounded by a reliance on common combinations of names, dictionary words and numerals. Not only are these passwords relatively easy to decipher, but if a cybercriminal gains access to a password on one site, that could result in access to a plethora of other sites. Password creation and management can be an arduous task. To tackle the burden of password creation and management, people might be tempted to use large language models (LLMs) like ChatGPT, Llama or DeepSeek to generate their passwords.
While AI can assist with many tasks, password generation is not one of them. The patterns and predictability of LLM-created passwords make them vulnerable to cracking.
Alexey Antonov, Data Science Team Lead at Kaspersky, tested this by generating 1,000 passwords using some of the more prominent and trusted LLMs including ChatGPT (from OpenAI), Llama (model from Meta group), DeepSeek (newcomer from China).
“All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords,” says Antonov. “In practice, though, the algorithms often neglected to insert a special character or digits into the password: 26% of passwords for ChatGPT, 32% for Llama and 29% for DeepSeek. While DeepSeek and Llama sometimes generated passwords shorter than 12 characters”.
In 2024, Alexey Antonov developed a machine learning algorithm to test password strength and found that almost 60% of passwords can be cracked in under an hour using modern GPUs or cloud-based cracking tools. When applied to AI-generated passwords, the results were alarming, they were far less secure than they appeared: 88% of DeepSeek and 87% of Llama generated passwords were not strong enough to withstand attack from sophisticated cyber criminals. While ChatGPT did a little better with 33% of passwords not strong enough to pass the Kaspersky test.
AI produces strings that look random, which helps avoid the human tendency to create predictable, dictionary-based passwords. But appearances can be deceptive, AI-generated passwords may not be as secure as they appear.
“The problem is LLMs don’t create true randomness. Instead, they mimic patterns from existing data, making their outputs predictable to attackers who understand how these models work”, notes Antonov.
Kasperskry recommends that rather than relying on AI, users should create strong passwords themselves or adopt dedicated password management software, such as Kaspersky Password Manager. These tools offer several key advantages. First, this type of software uses cryptographically secure generators to create passwords with no detectable patterns, ensuring true randomness. Second, all credentials are stored in a secure vault, protected by a single master password.
Additionally, password managers provide auto-fill and synchronization across devices, streamlining logins without compromising security. Many also include breach monitoring, alerting users if their credentials appear in a data leak. Instead of taking shortcuts, invest in a reputable password manager, your first line of defense against cyber threats.