60
LLM-generated passwords 'fundamentally weak,' experts say (www.theregister.com)
submitted 17 hours ago by fox@hexbear.net to c/chapotraphouse@hexbear.net
26 comments fedilink hide all child comments

The way LLMs work is by approaching the most "average" response given any particular input. It's why everything written by an LLM looks similar and always has the same voice.

Anyways, shockingly, the Machine That Generates the Average Output is bad at unique passwords.

Of the 50 returned, only 30 were unique (20 duplicates, 18 of which were the exact same string), and the vast majority started and ended with the same characters.

Imagine that an LLM tries to fit its outputs into a bell curve of potential responses, with each character in the output aimed to be as close to the middle as feasible (with a small randomization factor so it's not always the exact same). A good password's bell curve ought to be a completely flat graph where any character is just as likely to be chosen as any other character.

Use a password manager.

all 27 comments
sorted by: hot top controversial new old
[-] aanes_appreciator@hexbear.net 11 points 10 hours ago

WHY ARE WE USING LLMS TO GENERATE RANDOM STRINGS WHEN WE HAVE CIRCUITS BARELY ATOMS THICK DESIGNED BY PHYSICISTS TO DO THAT SHIT A BILLION TIMES FASTER?!! STOP IT. STOP.

[-] ZeroHora@lemmy.ml 31 points 16 hours ago

Who is this person that ask gpt to generate a random password?

[-] JoeByeThen@hexbear.net 16 points 15 hours ago

Hunter

[-] Meltyheartlove@hexbear.net 15 points 14 hours ago

chappi I forgot my password helppp doggirl-tears 🤖 hunter 12345678 password

[-] rattlethatlock42@hexbear.net 39 points 17 hours ago

People ask AI for passwords? Bloody hell.

[-] Evilphd666@hexbear.net 11 points 15 hours ago

monke-beepboop Here I am blindly smashing buttons until it passes the requirements.

[-] chgxvjh@hexbear.net 7 points 14 hours ago

For 10 years my paypal password was sliding my finger over parts of 3 rows of the keyboard. I think I've changed it.

[-] D61@hexbear.net 19 points 15 hours ago* (last edited 15 hours ago)

monke-beepboop me using an LLM genAI agent to ask other LLM genAI agents what user names and their passwords they were asked to make

anakin-padme-2 this can't possibly work, right?

[-] InevitableSwing@hexbear.net 12 points 16 hours ago

Can I trust you to give me accurate legal advice, medical advice, tax advice plus be in a relationship with me plus give me strong passwords because you are smart and clever? Or are you a soulless plagiarism machine that can't be trusted and my relationship to you is corrupting my already deluded mind?

Thanks for the gold kind stranger.

Oh! I forgot! You're smart and clever and funny!

I am.

I love you, Moloch2.

I love you too, Password123!

[-] RaspberryTuba@hexbear.net 10 points 16 hours ago* (last edited 14 hours ago)

Claude code at least will call tooling to generate a random hash. Otherwise…

[-] fox@hexbear.net 1 points 11 hours ago

Yeah, it definitely says it does

[-] RaspberryTuba@hexbear.net 2 points 11 hours ago* (last edited 10 hours ago)

It generates a prompt asking to run the hash generation on your system using proper tools for it. They’re not all equal, not even when it’s the same LLM in another context.

EG - Opus 4.6 is one of the ones repeatedly generating trash in the article, while it’s currently the top of the line LLM for Claude code and it’ll properly generate a password in that.

[-] QuillcrestFalconer@hexbear.net 15 points 17 hours ago

Using AI to substitute a rand() call

[-] segfault11@hexbear.net 9 points 16 hours ago

but it told me hunter2 was the most secure password possible…

[-] BobDole@hexbear.net 9 points 14 hours ago

but it told me ******* was the most secure password possible…

I don’t get it

[-] miz@hexbear.net 13 points 17 hours ago

not-built-for-this

[-] ClathrateG@hexbear.net 12 points 17 hours ago

Use a password manager.

Yes but also be aware of https://www.theregister.com/2026/02/16/password_managers/

[-] bobs_guns@lemmygrad.ml 11 points 15 hours ago

Can't believe these were marketed as zero knowledge. If a server knows the ciphertext or even the size of the ciphertext that is not zero knowledge, by definition.

[-] Collatz_problem@hexbear.net 14 points 17 hours ago

My password manager is a piece of paper hidden in one of my books.

[-] WokePalpatine@hexbear.net 8 points 16 hours ago

The more digitally-dependant society becomes, the more analog methods become secure. Like, most old people in the imperial core are getting defrauded online, not because they have a notebook by the computer with their passwords written down.

[-] Belly_Beanis@hexbear.net 13 points 16 hours ago

I never understood the logic about not writing down passwords in your own home. If somebody can steal my passwords, I have a far more serious problem.

[-] Damarcusart@hexbear.net 1 points 8 hours ago* (last edited 8 hours ago)

My handwriting looks like a very drunk chimpanzee's. I can barely tell what I wrote an hour after I wrote it, let alone 6 months later when I'm trying to work out a password.

[-] ChaosMaterialist@hexbear.net 5 points 12 hours ago

It's the kind of advice against a post-it note on your monitor (especially in a shared place like an office) but often gets over applied to all paper backups. I keep backup access to my password manager in a paper envelope with other important documents just in case.

[-] chgxvjh@hexbear.net 6 points 14 hours ago

Just don't put it up on the pinwall in front of your webcam.

[-] Llituro@hexbear.net 8 points 17 hours ago

my passwords are misspelled literary references. ChatGPT will not find me

this post was submitted on 18 Feb 2026
60 points (100.0% liked)

Chapotraphouse

14277 readers
756 users here now

Banned? DM Wmill to appeal.

No anti-nautilism posts. See: Eco-fascism Primer

Slop posts go in c/slop. Don't post low-hanging fruit here.

founded 5 years ago
MODERATORS
LENINSGHOSTFACEKILLA@hexbear.net
corgiwithalaptop@hexbear.net
a_little_red_rat@hexbear.net
khizuo@hexbear.net
thelastaxolotl@hexbear.net
CoolerOpposide@hexbear.net