"Prompting each of them to generate 16-character passwords featuring special characters, numbers, and letters in different cases, produced what appeared to be complex passphrases. When submitted to various online password strength checkers, they returned strong results. Some said they would take centuries for standard PCs to crack. The online password checkers passed these as strong options because they are not aware of the common patterns. In reality, the time it would take to crack them is much less than it would otherwise seem."
"The researchers took to Claude, running the Opus 4.6 model, and prompted it 50 times, each in separate conversations and windows, to generate a password. Of the 50 returned, only 30 were unique (20 duplicates, 18 of which were the exact same string), and the vast majority started and ended with the same characters. Irregular also said there were no repeating characters in any of the 50 passwords, indicating they were not truly random."
Claude, ChatGPT, and Gemini generated 16-character passwords containing special characters, numbers, and mixed-case letters that appeared complex. Online password strength checkers rated these passphrases as strong and sometimes estimated centuries to crack on standard PCs. The checkers missed common structural patterns used by the models, making actual cracking time much shorter. Generated passwords showed repeated patterns across outputs, duplicates, consistent prefixes or suffixes, and an absence of repeating characters, indicating nonrandomness. Tests across Claude Opus 4.6, GPT-5.2, Gemini 3 Flash, Gemini 3 Pro, and an image model revealed similar predictable behaviors that could inform brute-force strategies.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]