Why does this matter?
A password protects access to email, company systems, customer data, documents, applications and administrator accounts. If it is predictable, it stops being an effective barrier.
AI can create passwords that look complicated, contain letters, numbers and special characters, and pass simple “password strength” tests, but in reality are based on repeatable patterns.
This is particularly dangerous because the user may have a false sense of security: “after all, the password looked very strong.”
What could go wrong?
With AI-generated passwords, the problem is not how they look, but how predictable they are.
AI models may repeatedly suggest similar or even identical passwords to different people. They may also have their “favourite” starting points, character patterns or sequences. For criminals, this is valuable information. If they know that a password may have been generated by a specific AI model, they can create special lists of passwords typical for that model and try to crack them faster than by using a standard trial-and-error approach.
In practice, this means that a password may look as if it would take hundreds of years to crack, while with the right methods it may be vulnerable to attack much sooner.
Potential breach scenario
An employee creates an account in a new company tool. The system asks for a strong password, so the employee opens an AI tool and types: “Generate a very strong password for this system.” The employee receives a string containing uppercase letters, numbers and special characters. The password looks good, so it is used.
A few months later, an unauthorised login occurs. The analysis shows that the password was predictable and similar to patterns often generated by popular AI models. The problem was not caused by the employee’s bad intentions, but by using the wrong tool to create a security measure.
Such an incident may be not only a technical problem, but also a personal data breach. If an unauthorised person gains access to the data of customers, employees or contractors because of a weak password, the company may be required to analyse the incident, report it to the relevant data protection authority and, in some cases, also notify the individuals whose data is affected.
What not to do
- Do not ask AI to generate a password for email, a company system, online banking, an HR application, CRM, an administrator panel or any other account.
- Do not use an AI-generated password just because it “looks strong”.
- Do not save AI-generated passwords in text files, notes, emails or messaging apps.
- Do not paste existing passwords into AI tools and ask them to assess, improve or “strengthen” them.
- Do not use the same password in several places.
Remember
AI is not a password manager or a secure randomness generator. It is a tool for creating text, not access security measures.
The rule is simple: do not generate passwords with AI. Create them yourself or use an approved password manager and a random password generator.