LLM-generated passwords ‘fundamentally weak,’ experts say • The Register
Posted by jpluimers on 2026/02/24
LLM eat a lot of energy and are their hallucination are bad: [Wayback/Archive] LLM-generated passwords ‘fundamentally weak,’ experts say • The Register
Your AI-generated password isn’t random, it just looks that way
…
AI security company Irregular looked at Claude, ChatGPT, and Gemini, and found all three GenAI tools put forward seemingly strong passwords that were, in fact, easily guessable.
…
Basically they are almost as good as the 2007 XKCD “four” number generator, the 2013 XKCD “I’m So Random” or the 2001 Dilbert “nine” number generator further below (don’t read the latter if you dislike Scott Adams)
Is it a coincidence or are these two using two small squared numbers?
Anyway: avoid LLM whenever possible, as most often they do more bad than good.
And for passwords, better use the blog post that was already scheduled for tomorrow: Generating random strings for passwords and uuids/guids on both Windows and Linux using base64 and hex encoding, plus: “Hive Systems: Are Your Passwords in the Green?”
Via [Wayback/Archive] Eloy.: “LLMs are centrist randomness: not useful for anything that requires truth but neither for password generation” – HSNL Social
Below this post, there are some great responses as well.
Comics
- [Wayback/Archive] xkcd 221: Random Number – RFC 1149.5 specifies 4 as the standard IEEE-vetted random number.
RFC 1149.5 specifies 4 as the standard IEEE-vetted random number.
- [Wayback/Archive] 221: Random Number – explain xkcd
[A computer program.]int getRandomNumber() { return 4; // chosen by fair dice roll. // guaranteed to be random. }It has inspired these:
- [Wayback/Archive] xkcd: I’m So Random
In retrospect, it’s weird that as a kid I thought completely random outbursts made me seem interesting, given that from an information theory point of view, lexical white noise is just about the opposite of interesting by definition.
- [Wayback/Archive] 1210: I’m So Random – explain xkcd
- [Black Hat is sitting in an office chair at a desk when Hairy runs up behind him with his arms raised up.]
- Hairy: Monkey tacos!
- Hairy: I’m so random.
- [A frame-less panel pans to Black Hat and his desk, showing there is a computer on his desk and that he is actually typing on a keyboard in front of him on a lowered shelf.]
- Black Hat: Yeah, me too.
- [Black Hat swivels his chair around (as shown with a gray curved line beneath the chair at his feet) to face Hairy. He then emits from his mouth a massive speech bubble filled with random numbers in gray. This torrent of random numbers knocks Hairy to the ground as he shields his face with one arm while the other grasps for the floor to cushion his fall (it is notable that speech bubbles are not normally used in xkcd.) The numbers themselves are written deliberately haphazardly and in varying sizes, which makes it difficult to read them in any consistent manner; however, for reasons explained above, there is actually some order, and using that order they would appear like this:]
- Black Hat:
-
-
-
- 100973253376520135863467354
- 876809590911739292749453754
- 204805648947429624805240372
- 063610402002291665084226895
- 319645093032320902560159533
- 476435080336069901902529093
-
-
- [With Hairy gone, Black Hat has turned back and resumed working at his computer.]
- [Wayback/Archive] Dilbert Comic Strip on 2001-10-25 | Dilbert by Scott Adams was the most recent archival of the “Tour of accounting” comic; the link itself is dead (Adams removed all his content when he de-syndicated), but the archived image is still there:
I borrowed the transcript from [Wayback/Archive] Dilbert cartoon first published on Thursday 25th October 2001
Headline: Tour of Accounting. Dilbert is wiping spit off of himself with a towel. A troll tour guide says, “Over here we have our random number generator.”
The troll places its hands on a slab of rock and relays the message of “nine nine nine nine.”
Dilbert asks, “Are you sure that’s random?”
The troll responds, “That’s the problem with randomness. You can never be sure.”There is also an open source transcript at [WaybackSave/Archive] Dilbert Comic Accessible Transcripts
TOUR OF ACCOUNTING OVER HERE WE HAVE OUR RANDOM NUMBER GENERATOR.
NINE NINE NINE NINE NINE NINE ARE YOU SURE THAT’S RANDOM?
THAT’S THE PROBLEM WITH RANDOMNESS: YOU CAN NEVER BE SURE.
- Some people reference this as the Six nines in pi – Wikipedia.
- Few remember that Dilbert originally started as a black and white comic. Luckily there are old farts like me (:
References that helped me:
- [Wayback/Archive] Random number [Dilbert] : science has the Dilbert random number generator and the two XKCD comics.
- [Wayback/Archive] Some of you cite your favorite strips. I will too. Dilbert comes down to the cav… | Hacker News lists both the Dilbert and XKCD random generator and makes me wonder why in the comments so many more people submit Dilbert comics than others. Have they not learned from Adams’ controversies?
On the positive site, it references the American Scientist in the first post:
- [Wayback/Archive] The Quest for Randomness | American Scientist is a great article with further insight on how to asses randomness. It also quotes the coloured Dilbert comic. It has this great quote:
You should suspect a coin is crooked if there exists a pattern to the coin flips that can be described by a program using substantially fewer bits than the sequence of flips itself.
- [Wayback/Archive] Better random algo than the built-in Random() function? – Ideas – Discussions on Python.org got me the link to the coloured version of the Dilbert comic (but regrettably omits the XKCD one)
- [Wayback/Archive] Comic Strip on 2001-10-25 – Dilbert Viewer did the same, and that site contains most of not all Dilbert comics.
- [Wayback/Archive] Tiggemann, Daniel: Scott Adams on Random Numbers pointed to the (now disappeared, but luckily archived) black and white GIF and its name format:
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2001182781025.gifUsing this filename, you can see which files have been archived in the Wayback Machine, which at the time of writing has 2490 entries:
https://web.archive.org/web/*/http://www.dilbert.com/comics/dilbert/archive/images/dilbert*
And there you can find both the .gif and .jpg extension are used: usually for a comic, both files are there. Not for this time. The actual picture is a .gif:
- [Wayback/Archive] GitHub – jvarn/dilbert-archive: ARIA accessible text transcripts of Dilbert comics from 1989 to 2023 is the repository for
- [Wayback/Archive] Dilbert Comic Accessible Transcripts which not only has all the transcripts since 1993, but also shows that after 20230312, Adams retracted all his comics.
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment