In light of World Password Day, Alexey Antonov, Data Science team lead at Kaspersky, issues a stark warning against AI password generation.
With the increasing appeal of large language models (LLMs) like ChatGPT, Llama or DeepSeek to generate passwords, Antonov cautions that AI-generated passwords may not be as secure as they appear.
By generating 1,000 passwords using LLMs, including ChatGPT, Llama, and DeepSeek, Antonov observed: "All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers, and symbols. They report this when generating passwords."
AI password generation
"DeepSeek and Llama sometimes generated passwords consisting of dictionary words, in which instead of some letters there are numbers of similar shape: S@d0w12, M@n@go3, B@n@n@7 (DeepSeek), K5yB0a8dS8, S1mP1eL1on (Lllama).
Both of these models like to generate the password "password": P@ssw0rd, P@ssw0rd!23 (DeepSeek), P@ssw0rd1, P@ssw0rdV (Llama). Needless to say, such passwords are not safe," explains Antonov.
He found that almost 60% of passwords can be cracked in under an hour using modern GPUs or cloud-based cracking tools. This was determined using a machine learning algorithm he developed in 2024 specifically to test password strength.
Alarmingly, most passwords generated by DeepSeek (88%) and Llama (87%) did not pass the Kaspersky test. ChatGPT had 33% of passwords not strong enough to withstand cyberattacks.
Secure password management
He strongly advises users to invest in a reputable password manager instead of generating passwords through AI. Such tools use cryptographically secure generators to create unpredictable and random passwords.
Moreover, he said dedicated password managers store all credentials in a secure vault, protected by a single master password, and provide auto-fill and synchronisation across devices to streamline logins.
