Why LLM-Generated Passwords Are Dangerously Insecure

https://www.irregular.com/publications/vibe-password-generation

16•zdw•2d ago

Comments

himata4113•3h ago

huh, for me it just generates <username>123 when I ask it to generate a password lol, sometimes adds a !, more often it just forces changeme rather than having any password.

stanmancan•3h ago

Obligatory https://xkcd.com/221/

petcat•3h ago

> LLM-generated passwords (generated directly by the LLM, rather than by an agent using a tool)

This seems like kind of a pointless analysis to me? Humans also generate bad passwords. It's why we use crypto-hardened RNG tools.

jmull•2h ago

It’s pointless if you believe no one is asking LLMs to generate passwords for them.

Pooge•2h ago

Humans will always smash a screw with the handle of a spoon and be proud of themselves when they manage to do it.

camgunz•3h ago

Honest question, how much money would I make off an MCP service to generate passwords for claws and agents. Is there still gas left in the griftmobile, are prospectors still in need of shovels, will the gods bless my humble, shameless lunge for my slice of the pie?

throwatdem12311•2h ago

Not much because if you gain any traction, within a day somebody will make a clone and make it free/open source.

This is the default answer for all vibe coded slop business ideas for a while.

TheDong•2h ago

There is a marketplace for free skills (in this case a markdown file saying "run openssl rand -hex 32")

I do not think there is any money for something that trivial.

Even the irrationally exuberant VCs wouldn't put money in that.

Mordisquitos•3h ago

I only clicked on the article with no intention of reading it (no time), but rather out of morbid curiosity as to why on earth anybody would need to be told that LLMs should absolutely not be used to generate passwords.

> [...] Despite this, LLM-generated passwords appear in the real world – used by real users, and invisibly chosen by coding agents as part of code development tasks, instead of relying on traditional secure password generation methods.

Jesus F'ing Christ. I hope to have time to read the whole thing later.

sowbug•2h ago

The article is a bit of a strawman, and a bit of an advertisement for a security consultancy. If you ask someone else to pick a password for you, then it's a secret known by two people. So don't do that. That was true a thousand* years ago. It's still true today.

*I know, I know, hash functions didn't exist on Earth a thousand years ago. Still true.

ks2048•3h ago

Had me wonder - if you ask an LLM for a random number 1...100, what distribution do you get? Surely many have run this experiment. Here's a link that looks like a good example, https://sanand0.github.io/llmrandom/

RIMR•50s ago

That is interesting data. Just from looking at those graphs, it looks like AIs are consistently avoidant of the number 69, likely because of safeguards to prevent it from being offensive. Otherwise its training would probably tell it that it was a really nice number.

catlifeonmars•3h ago

This article has “why stabbing yourself with a screwdriver is bad” vibes.

CrzyLngPwd•2h ago

The article reads like it was written by a machine.

gmuslera•2h ago

This asks for a dictionary attack, not of common words, but for tokens from training that have some weight related to good passwords.

At least regarding “normal” text generation, if you tell somewhat to the LLM that generate a Python script to write down a random password and use it it may have better quality.

Show HN: A game where you build a GPU

Simple self-distillation improves code generation

Sopwith

Show HN: TurboQuant-WASM – Google's vector quantization in the browser

Apple approves driver that lets Nvidia eGPUs work with Arm Macs

Scientists observe an immune signaling complex forming inside cells

Show HN: sllm – Split a GPU node with other developers, unlimited tokens

Tell HN: Anthropic no longer allowing Claude Code subscriptions to use OpenClaw

Author of "Careless People" banned from saying anything negative about Meta

Some Unusual Trees

Artemis II crew take “spectacular” image of Earth

Components of a Coding Agent

Plague Ships

Training mRNA Language Models Across 25 Species for $165

Emotion concepts and their function in a large language model

The CMS is dead, long live the CMS

The Indie Internet Index – submit your favorite sites

Electrical Transformer Manufacturing Is Throttling the Electrified Future

The Cathedral, the Bazaar, and the Winchester Mystery House

Mbodi AI (YC P25) Is Hiring

Claude Code Found a Linux Vulnerability Hidden for 23 Years

Why the Most Valuable Things You Know Are Things You Cannot Say

Notes from from Butterick's Practical Typography

IBM 3270 Information Display System: Color and Programmed Symbols (1979) [pdf]

When legal sports betting surges, so do Americans' financial problems

German men 18-45 need military permit for extended stays abroad

I rebuilt the same project after 15 years – what changed in web dev

A new gene therapy is giving people born deaf the chance to hear

The most-disliked people in the publishing industry

OpenClaw privilege escalation vulnerability