We are living in the age of the AI shortcut. Whether you’re using ChatGPT to draft a tricky email to a client, asking Claude to summarise a long report, or using Gemini to plan your next team-building lunch, these tools are incredible time-savers. It’s tempting to think that since AI is “smart,” it’s the perfect tool for generating those complex, 16-character passwords we’re all told to use.
But here’s the reality: asking an AI to create a password is one of the biggest security mistakes you can make for your business.
At Cloud Computer Company, we spend a lot of time helping small business owners and IT managers lock down their digital front doors. We’ve seen a lot of trends come and go, but the rise of “AI-generated passwords” is one that genuinely keeps us up at night. While those strings of gibberish might look secure to the human eye, they are a goldmine for hackers.
In this post, we’re going to dive into why AI is fundamentally incapable of being “random,” the hidden patterns hackers are already exploiting, and what you should be using instead to keep your business data safe.
The Great AI Illusion: Prediction vs. Randomness
To understand why AI is bad at passwords, you have to understand how it actually works. AI models like ChatGPT or Claude are “Large Language Models” (LLMs). They aren’t calculators, and they aren’t random number generators. They are essentially super-powered autocomplete engines.
When you give an AI a prompt, it isn’t “thinking.” It is predicting. It looks at the massive amount of data it was trained on and calculates the most likely next character or word in a sequence. If you ask it for a recipe, it predicts that “flour” usually follows “cups of.”
When you ask it for a password, it does the same thing. It looks for patterns that look like a password.
Security, however, relies on the absolute absence of patterns. A truly secure password needs to be “stochastic”, which is just a fancy way of saying it needs to be genuinely, purely random. Because AI is designed to follow patterns and satisfy human expectations of what a “strong” password looks like, it fails the most basic test of cryptography.
Why AI Passwords are a Hacker’s Dream
A recent study highlighted by Lifehacker revealed a shocking trend. When researchers asked Claude (one of the most advanced AI models) to generate a password 50 times, it only produced 23 unique strings. One specific password appeared 10 times!
If an AI is giving you the same password it gave nine other people, that password isn’t a secret, it’s a target.
The Entropy Gap
In the world of IT security, we talk about “entropy.” This is a measure of how unpredictable a password is. A truly random 16-character password generated by a dedicated tool usually has between 98 and 120 bits of entropy.
Research has shown that AI-generated passwords of the same length often only carry 20 to 27 bits of entropy. That is a massive security gap. To a human, Xy7!pQ9@m2#R looks complicated. To a modern “brute-force” hacking tool, that password could potentially be cracked in hours, or even minutes, because the tool knows the statistical patterns the AI is likely to follow.
Wordlists and Dictionary Attacks
Hackers aren’t just sitting there typing in guesses. They use “wordlists”, massive databases of common passwords, leaked credentials, and known patterns. As more people use AI to generate passwords, hackers are simply adding those AI outputs to their lists. They are literally training their attack tools on the same logic the AI uses to create your “secure” login.
The Privacy Problem: Is Your AI Chat Private?
Beyond the technical weakness of the passwords themselves, there is a major privacy concern. When you type a prompt into a public AI tool, that data is often logged.
Most free versions of AI chatbots save your history to help train future models. Even if you delete the chat, the data has already moved through their servers. If that AI company ever suffers a data breach, or if a rogue employee accesses the logs, your “secure” password is sitting there in plain text, linked to your account.
As a business owner, you would never write your bank password on a sticky note and leave it in a public park. Using a public AI to generate credentials is the digital equivalent of doing exactly that.
What You Should Use Instead
If AI is out, how are you supposed to manage dozens of complex passwords for your business? The answer isn’t a notebook or a spreadsheet; it’s dedicated security infrastructure.
1. Dedicated Password Managers
Tools like Bitwarden, 1Password, or even the built-in Google Password Manager use “cryptographic random number generators.” Unlike AI, these tools don’t use language patterns. They use physical entropy (like the timing of your keystrokes or hardware noise) to create a string of characters that is mathematically unpredictable.
For small businesses, a team-based password manager is a game-changer. It allows you to share access to shared accounts (like the company’s social media or utility portals) without ever sending a password via email or Slack.
2. Passkeys: The Password Killer
We are moving toward a password-less world, and honestly, we couldn’t be happier. Passkeys are a new standard that uses your device’s biometric data (like a fingerprint or FaceID) to log you in. They are essentially unhackable via traditional methods because there is no “password” to steal. If a service offers Passkeys, use them.
3. Google Workspace Security
Since we specialise in Google Workspace, we always recommend making the most of the built-in security features. Google has some of the most robust threat detection in the world. By using Google as your primary identity provider, you can manage logins for hundreds of other apps via “Sign in with Google,” which is far more secure than creating a new password for every site.
A Quick Security Audit for Your Business
If you’re an IT manager or business owner reading this and thinking, “Uh oh, I might have used ChatGPT for a few logins,” don’t panic. Here is your immediate action plan:
- Identify and Reset: Change any passwords you generated with an AI tool immediately. Use a proper password manager to create the new ones.
- Enable MFA: Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) is your safety net. Even if a hacker guesses your password, they can’t get in without that second code on your phone.
- Audit Your Team: Make sure your employees aren’t using AI for security tasks. It’s worth having a quick chat about why “convenience” shouldn’t override “security.”
- Professional Checkup: Sometimes it’s hard to know where the holes are until someone looks. We offer a Google Workspace Health and Security Checkup specifically designed to find these vulnerabilities before someone else does.
Final Thoughts
AI is a brilliant tool for innovation, but it is a dangerous tool for authentication. In the world of business technology, we always want to be early adopters of things that help us grow, but we must be conservative when it comes to the “keys to the kingdom.”
Stick to proven, mathematically sound methods for your passwords. Keep the AI for your marketing copy and your spreadsheets, and leave the security to the specialists.
If you’re worried about your current security setup or want to streamline how your business handles the cloud, we’re here to help. At Cloud Computer Company, we make the complex simple: and we make sure your “simple” is also “safe.”
About Mathew
Mathew Hoffman is the owner of Cloud Computer Company. Mathew started his journey in the IT industry way back in 1981, eventually moving into senior IT roles at the State Bank of NSW, Minet Australia, Wilhelmsen Lines, and Rothmans of Pall Mall. One of his career highlights was working on the IT infrastructure for the Sydney 2000 Olympics. Since 2001, Mathew has focused on providing expert IT consultancy to small and medium businesses. He was one of the original Google Partners in 2008 and rebranded his business to Cloud Computer Company in 2017 to focus on cloud-led solutions. Now based in Noosa, Mathew is a Google Cloud Partner and Workspace certified specialist. When he’s not securing cloud environments, he enjoys watching and coaching cricket (having played in both Sydney and the Sunshine Coast), spending time with his family at the beach, or hitting the golf course.
