Discussion
Vibe Password Generation: Predictable by Design
himata4113: huh, for me it just generates <username>123 when I ask it to generate a password lol, sometimes adds a !, more often it just forces changeme rather than having any password.
stanmancan: Obligatory https://xkcd.com/221/
catlifeonmars: [delayed]
ks2048: Had me wonder - if you ask an LLM for a random number 1...100, what distribution do you get? Surely many have run this experiment. Here's a link that looks like a good example, https://sanand0.github.io/llmrandom/
gmuslera: This asks for a dictionary attack, not of common words, but for tokens from training that have some weight related to good passwords.At least regarding “normal” text generation, if you tell somewhat to the LLM that generate a Python script to write down a random password and use it it may have better quality.
Despite this, LLM-generated passwords appear in the real world – used by real users, and invisibly chosen by coding agents as part of code development tasks, instead of relying on traditional secure password generation methods.
Mordisquitos: I only clicked on the article with no intention of reading it (no time), but rather out of morbid curiosity as to why on earth anybody would need to be told that LLMs should absolutely not be used to generate passwords.> [...] Despite this, LLM-generated passwords appear in the real world – used by real users, and invisibly chosen by coding agents as part of code development tasks, instead of relying on traditional secure password generation methods.Jesus F'ing Christ. I hope to have time to read the whole thing later.
sowbug: The article is a bit of a strawman, and a bit of an advertisement for a security consultancy. If you ask someone else to pick a password for you, then it's a secret known by two people. So don't do that. That was true a thousand* years ago, and it's true today.*I know, I know, hash functions didn't exist on Earth a thousand years ago. Still true.
