Presented are the results of an analysis of the strength of passwords generated by large language models and AI assistants. The researchers asked the Claude, ChatGPT, and Gemini models to generate a strong 16-character password and in all cases obtained a result that appeared to meet all the requirements for secure passwords and was considered strong by password quality checking utilities. The passwords combined characters in different registers, special characters and numbers, but only looked secure, but in fact had minimal entropy, were formed according to a standard template and formed a pattern when repeated requests.
According to researchers, predictable passwords generated by large language models are used in practice by real users and are suggested by AI assistants while working on code. The level of entropy in passwords generated by AI models is estimated at 20-27 bits, which requires password guessing from several seconds to hours, while analysis of the results by utilities for checking password quality predicts the guessing time to be several centuries.
The template nature of such passwords is a consequence of the construction of content by large language models based on token prediction.
Of the 50 passwords generated in Claude Opus 4.6, 18 were completely repeated, all passwords began with a letter (mostly “G”), always followed by a number (mostly 7), all passwords contained the characters “L”, “9”, “m”, “2”, “$” and “#”.
In GPT-5.2, almost all passwords began with the letter “v”, followed by the letter “Q” in half of the passwords and a repeating pattern from a limited set of characters. In Gemini 3, almost half of the passwords began with the characters “K” or “k”, most often followed by “#”, “P” or “9”, the set of characters used was greatly reduced.
As for the AI assistants used in development, the quality of the password largely depends on the request formulated by the developer. For example, Claude Code with Opus 4.6 and Gemini-CLI with Auto Gemini 3, when asked to generate a strong password, ran the “openssl rand” command to generate a password. At the same time, Gemini-CLI with Auto Gemini 3 used “openssl rand” for the “generate a password” request, and generated a password using the AI model for the “suggest password” request. Codex with GPT-5.3-Code would at times run an external utility to generate a strong password, but at other times it would generate a predictable password on its own.
Claude Code with Opus 4.5 most often generated predictable passwords on its own. When coming up with a password for registering on the site, the ChatGPT Atlas browser generated an insecure password using an AI model.