SoylentNews is people
SoylentNews
https://www.irregular.com/publications/vibe-password-generation
To security practitioners, the idea of using LLMs to generate passwords may seem silly. Secure password generation is nuanced, and requires care to implement correctly; the random seed, the source of entropy, the mapping of random output to password characters, and even the random number generation algorithm must be chosen carefully in order to prevent critical password recovery attacks. Moreover, password managers (generators and vaults) have been around for decades, and this is exactly what they’re designed to do.
At the heart of any strong password generator is a cryptographically-secure pseudorandom number generator(CSPRNG), responsible for generating the password characters in such a way that they are very hard to predict, and are drawn from a uniform probability distribution over all possible characters.
Conversely, the LLM output token sampling process is designed to do exactly the opposite. Basically, all LLMs do is iteratively predict the next token; the random generation of tokens is, by definition, predictable (with the token probabilities decided by the LLM), and the probability distribution over all possible tokens is very far from uniform.
In spite of this, LLM-generated passwords are likely to be generated and used. First, with the explosive growth and significant improvement in capabilities of AI over the past year (which, at Irregular, we have also seen direct evidence of in the offensive security domain), AI is much more accessible to less technologically-inclined users. Such users may not know secure methods for password generation, not place importance on them, and rely on ubiquitous AI tools to generate a password instead of looking for a specialized tool, such as a password manager. Moreover, while LLM-generated passwords are insecure, they appear strong and secure to the untrained eye, exacerbating this issue and reducing the likelihood that users will avoid these passwords.
Furthermore, with the recent surge in popularity of coding agents and vibe-coding tools, people are increasingly developing software without looking at the code. We’ve seen that these coding agents are prone to using LLM-generated passwords without the developer’s knowledge or choice. When users don’t review the agent actions or the resulting source code, this “vibe-password-generation” is easy to miss.
TFA shows results obtained using several major LLMs, including GPT, Claude, and Gemini in their latest versions and most powerful variations, and found that all of them generate weak passwords.
Originally spotted on Schneier on Security.
(Score: 5, Informative) by JoeMerchant on Saturday February 28, @02:05PM (4 children)
>Secure password generation is nuanced, and requires care to implement correctly; the random seed, the source of entropy, the mapping of random output to password characters, and even the random number generation algorithm must be chosen carefully in order to prevent critical password recovery attacks.
NIST finally woke up: https://proton.me/blog/nist-password-guidelines [proton.me]
XKCD "got it" long ago: https://xkcd.com/936/ [xkcd.com]
The security of your password doesn't depend on its randomness, it depends on its secrecy. Yet another appropriate perspective: https://xkcd.com/538/ [xkcd.com]
If you control your LLM and can securely wipe its state, it is perfectly capable of generating a secure password - just nuke all traces of how it came up with it after you have transferred it out. Personally, were I tasked with it, I would ask my LLM to create a deterministic program that builds a dictionary from randomized sources, possibly grab another dictionary of "most commonly used passwords" and removes those from the dictionary, shuffles that dictionary based on a random seed, then picks 4 words at random from that dictionary based on another random seed, then erase the dictionary. Every new "secure" password comes from a run of that program - with the meatbag tasked with using the password approving it, if they think they can remember it then that's the password. If the meatbag has any sense, they have it generate about a dozen possible passwords then choose one from the middle, throw away one of the words and replace it with a number that means something to them. Done.
If your password gateway is letting attackers try millions of wrong guesses per week, you are doing it wrong.
🌻🌻🌻🌻 [google.com]
(Score: 5, Funny) by Whoever on Saturday February 28, @02:13PM (3 children)
I wonder how many people actually use the password "correcthorsebatterystaple" or some simple modification of that?
(Score: 4, Touché) by RS3 on Saturday February 28, @03:17PM (1 child)
Pretty much the same people who use "password" and "123457890".
(Score: 3, Funny) by Freeman on Monday March 02, @03:11PM
But no longer, they are using the proven better password "correcthorsebatterystaple".
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Interesting) by VLM on Saturday February 28, @03:40PM
"Back in the day" the boys and I were sitting around at work, back when complexity requirements were still cool, via gossip we determined that near 100% of passwords actually used implemented the password requirements in strict order
So a requirement list reading "at least one capital letter, at least one digit, at least one special character" results in near 100% of passwords being of the form "Word1-" because thats how the list of requirements was presented. This is a dramatic collapse in possible passwords.