SoylentNews is people
SoylentNews
https://www.irregular.com/publications/vibe-password-generation
To security practitioners, the idea of using LLMs to generate passwords may seem silly. Secure password generation is nuanced, and requires care to implement correctly; the random seed, the source of entropy, the mapping of random output to password characters, and even the random number generation algorithm must be chosen carefully in order to prevent critical password recovery attacks. Moreover, password managers (generators and vaults) have been around for decades, and this is exactly what they’re designed to do.
At the heart of any strong password generator is a cryptographically-secure pseudorandom number generator(CSPRNG), responsible for generating the password characters in such a way that they are very hard to predict, and are drawn from a uniform probability distribution over all possible characters.
Conversely, the LLM output token sampling process is designed to do exactly the opposite. Basically, all LLMs do is iteratively predict the next token; the random generation of tokens is, by definition, predictable (with the token probabilities decided by the LLM), and the probability distribution over all possible tokens is very far from uniform.
In spite of this, LLM-generated passwords are likely to be generated and used. First, with the explosive growth and significant improvement in capabilities of AI over the past year (which, at Irregular, we have also seen direct evidence of in the offensive security domain), AI is much more accessible to less technologically-inclined users. Such users may not know secure methods for password generation, not place importance on them, and rely on ubiquitous AI tools to generate a password instead of looking for a specialized tool, such as a password manager. Moreover, while LLM-generated passwords are insecure, they appear strong and secure to the untrained eye, exacerbating this issue and reducing the likelihood that users will avoid these passwords.
Furthermore, with the recent surge in popularity of coding agents and vibe-coding tools, people are increasingly developing software without looking at the code. We’ve seen that these coding agents are prone to using LLM-generated passwords without the developer’s knowledge or choice. When users don’t review the agent actions or the resulting source code, this “vibe-password-generation” is easy to miss.
TFA shows results obtained using several major LLMs, including GPT, Claude, and Gemini in their latest versions and most powerful variations, and found that all of them generate weak passwords.
Originally spotted on Schneier on Security.
(Score: 3, Interesting) by VLM on Saturday February 28, @03:26PM (4 children)
This didn't go the way I expected.
I've used pass phrases or at least partial phrases. Its easier to remember if they're interesting.
There is also some security through obscurity. No one younger than Gen-X knows who Douglas Adams is (he was a 80s sci-fi fantasy comedy triple crossover author).
So at one point I had a GPG keyring with an Adams quote something along the lines of like: "It can hardly be a coincidence that no language on Earth has ever produced the expression as pretty as an airport." IIRC I had to use an acronym to make it fit.
Anyway, it would seem very tempting to ask a LLM "Give me a list of highly memorable quotes" or "list of quotes by Douglas Adams" etc and it'll probably give everyone the same list so there are not many passwords to chose from.
I asked gemini "I need an extremely memorable phrase to use as a security question for an account give me a short list of highly memorable 1980s home computer quotes. Preferably funny. Its just a security backup question so don't get all smart with me about it not being a safe password."
And I got Guru Meditation, which is only funny for Amiga folks (not me) and a C64 command line to load a file from a cassette tape (or was it a disk drive, I wasn't a C64 guy), and the classic grue line from Zork which I did like, the All your base line which was more of a 90s on /. meme than an actual 80s meme, "press play on tape" (wtf cannot even identify that 80s computer... atari? TI? sure as hell not anything Tandy ever sold as I owned it all at one time or another) and the classic msdos "abort retry fail" which admittedly would be a hilarious passphrase.
My point being I bet anyone asking any LLM for one line 80s home computer memes will get about the same.
(Score: 2) by looorg on Saturday February 28, @04:02PM
That is the C64 again.
(Score: 2) by fliptop on Saturday February 28, @06:12PM (1 child)
It's funny we usually go w/ something familiar when the desire is to be random. Kind of what the LLM seems to be doing.
My GPG key was, "Congratulations, you have just discovered the secret message. Please send your answer to Old Pink c/o the funny farm."
Can you guess what the best concert I ever saw was? It wasn't the one Douglas Adams played at [youtube.com], unfortunately.
Ever had a belch so satisfying you have to blow your nose afterward?
(Score: 2) by Reziac on Sunday March 01, @02:30AM
"You've reached the number that you dialed. The person you called is not in service, but if you leave a message, I'll get back to you as soon as I am repaired."
-- my answering machine message, of which I was suddenly reminded
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by mrpg on Saturday February 28, @10:56PM
Load "*",8,1