RESEARCHJune 15, 2025·7 min read

Are AI-Generated Passwords Actually Secure?

LLMs like ChatGPT can generate passwords, but should you use them? The answer involves understanding entropy, predictability, and model training data.

The fundamental difference between LLM output and cryptographic randomness

When you ask ChatGPT to "generate a random password," it produces a string that looks random. But the randomness properties of that string are completely different from what a cryptographic random number generator produces.

LLMs are trained to produce outputs that look statistically typical for their training data. A "random" string from an LLM isn't truly random — it's the output of a deterministic mathematical function applied to a combination of model weights and your prompt. Two people asking the same prompt with similar context could get identical or near-identical outputs. More importantly, the output space of an LLM is constrained by what "random passwords" look like in its training data.

Why this matters for security

The security of a password depends on how many possibilities an attacker must try. True cryptographic randomness (like crypto.getRandomValues() used by PassGeni) draws from a uniform distribution across all possible character combinations. If you have a 20-character password from a 95-character set, there are 95^20 possible passwords. An attacker must search that entire space.

An LLM-generated "random" password doesn't have this property. The effective search space is whatever distribution of "password-looking strings" the model was trained on — which is a much smaller set. If attackers trained a model against common LLM password generation patterns (and some have), the effective entropy of your LLM password could be dramatically lower than it appears.

What LLMs are actually good for in password security

LLMs are genuinely useful for:

  • Generating passphrase word lists for specific domains (though the words still need to be randomly selected from the list, not chosen by the LLM)
  • Explaining password policies in plain language
  • Writing password policy documentation
  • Answering questions about password security best practices

They are not appropriate for: generating passwords or passphrases you intend to use for actual account security.

What to use instead

For cryptographically secure password generation, you want a tool that explicitly uses crypto.getRandomValues() (in browsers) or equivalent OS-level CSPRNG (Cryptographically Secure Pseudo-Random Number Generator). PassGeni uses crypto.getRandomValues() exclusively — you can verify this by inspecting the network tab while generating (nothing is sent to a server) and reading the source code.

The strength checker's entropy calculation assumes cryptographic randomness. If your password came from an LLM, the displayed entropy figure is an overestimate of actual security.

Generate your passwords with PassGeni's generator. Use an LLM for everything else.

Key topics
AI password generationLLM passwordsChatGPT passwordsentropyCSPRNG
Was this post useful?
Frequently asked questions

Questions about this topic

Can ChatGPT generate secure passwords?

+

How is AI password generation different from human password creation?

+

Is a password generator built on an LLM acceptable for any use case?

+
More posts

Related reading

AI Password Cracking in 2025: What Large Language Models Changed

8 min read →

10 Password Security Myths Still Circulating in 2025

7 min read →

Password Length vs Complexity: Which Actually Matters More?

6 min read →