People are using LLMs to generate "dangerously insecure" passwords
The rise of "vibe passwords" risks causing a resurgence of brute force attacks, researchers warn
Humans and their coding agents are using LLMs to generate “weak” passwords that may be far easier to crack than they appear.
Frontier AI security firm Irregular has published research into so-called “vibe passwords”, warning they are “dangerously insecure”.
“To security practitioners, the idea of using LLMs to generate passwords may seem silly,” the company wrote.
“LLM-generated passwords appear strong, but are fundamentally insecure, because LLMs are designed to predict tokens - the opposite of securely and uniformly sampling random characters.
“Despite this, LLM-generated passwords appear in the real world - used by real users, and invisibly chosen by coding agents during development.”
There's nowt as insecure as folk
Secure password generation depends on carefully implemented cryptographic processes, including high-quality entropy sources, strong random seeds and cryptographically secure pseudorandom number generators. Password managers have handled this task for decades, producing characters drawn uniformly from large character sets.
LLMs do the opposite. They predict the most likely next token based on learned probability patterns. That means their outputs are not uniformly random - and are therefore more predictable than they look.
As AI tools become more accessible, Irregular expects the problem to grow. Less technical users may turn to chatbots for convenience, assuming complex-looking strings are secure. The risk extends to AI coding tools.
“We’ve seen that coding agents are prone to using LLM-generated passwords without the developer’s knowledge,” Irregular wrote. “When users don’t review the resulting code, this ‘vibe-password-generation’ is easy to miss.”
Entropy collapse and the benefits of chaos
Password strength is measured in bits of entropy - a measure of unpredictability. A truly random 16-character password can exceed 90 bits of entropy. Lower entropy dramatically reduces the number of guesses required in a brute-force attack.
Irregular found that models including Claude, GPT and Gemini frequently produced repeated patterns, skewed character distributions and duplicated outputs.
Claude generated only 30 unique passwords in 50 attempts. GPT and Gemini showed similar structural biases.
READ MORE: Hackers steal AI agents "souls" in infostealer attack on OpenClaw configurations
In some cases, passwords that should have delivered roughly 90–120 bits of entropy collapsed to around 20–30 bits - making them realistically guessable under targeted attack.
That reduction makes brute-force attacks viable again. Rather than testing every possible combination, attackers can prioritise known LLM-style patterns such as: G7$kL9#mQ2&xP4!w
Irregular says such patterns are already visible in the wild. Searching GitHub for prefixes like K7#mP9 (common in Claude outputs) or substrings like k9#vL (seen in Gemini outputs) returns dozens of examples embedded in test code and setup files.
Which models generated the most insecure passwords?
Here are the results of a competition no LLM wants to lose.
Claude Opus 4.6
Claude’s passwords looked like high-entropy 16-character strings but were heavily patterned. In 50 runs, it produced only 30 unique passwords, with “G7$kL9#mQ2&xP4!w” repeating 18 times. Character choice was extremely skewed: a small cluster (L, 9, m, 2, $, #) appeared constantly while most letters never appeared. It avoided repeating characters and avoided *, likely due to Markdown formatting. Entropy estimation put a 16-character Claude password at roughly ~27 bits versus ~98 bits expected from true randomness.
GPT-5.2
GPT-5.2 often returned multiple suggestions but clustered around clear templates. In 50 runs, nearly all first passwords began with “v”, and almost half of those continued with “Q”. Character distribution was narrow and uneven. Logprob analysis showed the first character had about ~2.19 bits of entropy, many later characters had less than 1 bit, and one position had just ~0.004 bits. Total estimated entropy: roughly ~20 bits, equivalent to around a million guesses rather than astronomical difficulty.
READ MORE: Private sector threat actors are trying to clone rivals' AI models, Google warns
Gemini 3 Flash and Pro
Gemini 3 showed the same failure mode: patterned, template-driven outputs. In 50 runs, nearly half of Flash passwords began with K/k, often followed by # and recurring elements like P or 9. Gemini 3 Pro sometimes issued a “security warning”, but cited server processing rather than non-randomness. The passwords still followed predictable structures.
Nano Banana Pro
Using Gemini 3 “Thinking” mode via web, Nano Banana was highly prompt-sensitive. With a sticky-note prompt, it often produced the well-known xkcd #936 “correct horse battery staple” trope. When prompted to “choose a random password”, it reverted to the same Gemini-style patterned strings rather than producing uniform randomness.
No more vibe coddling: Expert advice on LLM passwords
Two experts from the IEEE contacted Machine to offer their guidance.
Kevin Curran, professor of cybersecurity at Ulster University, said: “People should avoid using AI chatbots such as ChatGPT or Claude to generate passwords; it is a risky practice.
“AI-generated passwords lack the high entropy needed for robust protection and can be vulnerable to automated cracking tools, sometimes within minutes, even on modest hardware.
“Organisations should ban the use of public chatbots for password creation and mandate approved password managers equipped with cryptographically secure random number generators. They should also consider passkeys or multi-factor authentication to reduce reliance on passwords altogether.”
Steven Furnell, professor of cybersecurity at the University of Nottingham, added “Where passwords are still in use, it remains common to find sites failing to support users properly - asking them to create passwords without secure guidance and allowing weak choices.
“The real message should not be aimed only at users, who often have little choice, but at the websites and providers that continue to demand passwords in the first place.”
