If you’ve been asking ChatGPT, Claude, or Gemini to create a password for your new bank app or social media account, you may be handing hackers an easier way in.Â
AI cybersecurity firm Irregular tested the three chatbots by asking each one to generate 50 passwords in early 2026. The results looked strong at first glance, mixing upper- and lowercase letters, numbers, and symbols. But when the researchers examined the passwords more closely, they found the outputs repeated the same structures far too often to be considered random.
Claude fared the worst in the tests reported by Malwarebytes Labs. Out of 50 prompts, the chatbot returned just 23 unique passwords, with one string appearing 10 separate times. A related test cited by The Register, using Claude Opus 4.6, produced 30 unique passwords out of 50, with 18 of the 20 duplicates being identical strings.
The researchers also found consistent patterns in how each chatbot built its passwords. According to The Register, Claude’s outputs typically opened with a capital letter, most often “G,” followed by the digit 7. Gemini leaned toward “K” or lowercase “k” as a starting character, while GPT-5.2 almost always began its passwords with the letter “v,” a pattern noted separately by the security blog Schneier on Security.
Why “strong-looking” passwords aren’t secure
Password strength depends on entropy, a measure of how unpredictable a string of characters is. Irregular calculated entropy two ways: by studying the statistical spread of characters, and by estimating how likely each character was to follow the one before it. A genuinely random 16-character password should yield around 98 bits of entropy with the first method and 120 bits with the second. The Claude-generated passwords Irregular tested scored roughly 27 bits and 20 bits on those same measures, according to figures reported by both Malwarebytes Labs and The Register.
Put differently, online password checkers rated some of these AI-generated strings as needing centuries to crack. In reality, the predictable patterns behind them would let an attacker guess correctly in a fraction of that time on ordinary computer hardware.
Kevin Curran, professor of cybersecurity at Ulster University, told the tech outlet Machine that people should avoid using AI chatbots such as ChatGPT or Claude to generate passwords, calling it a risky practice. Dan Lahav, Irregular’s co-founder, was more direct in comments that Sky News verified: “You should definitely not do that.”
Notably, Google’s Gemini 3 Pro was the one chatbot that flagged its own limitations, warning users that its generated passwords should not be used for sensitive accounts and suggesting a password manager instead, per The Register’s reporting.
What to use instead
Security researchers recommend dedicated password managers, such as 1Password or Bitwarden, which generate passwords using cryptographically secure random number generators rather than predictive text patterns. For accounts that support them, passkeys offer another option: they rely on a device’s built-in fingerprint, face scan, or PIN authentication instead of a password that can be guessed or leaked.
For anyone without access to a password manager, security experts suggest combining two or three unrelated, uncommon words and mixing in a few numbers or symbols, rather than relying on a chatbot to invent something from scratch.
Though you may be turning to AI chatbots for everyday tasks, such as drafting emails or managing finances online, this research should serve as a reminder that not every task should be entrusted to AI, especially when your account security is at stake.

