Researchers have found that the complex passwords, as generated by large-language models, might not be as complex as they seem. It’s been discovered that LLMs are using repeated patterns, which makes them easier to crack. As AI systems are designed to predict outputs, the real security with passwords comes down to their unpredictability.
The Power of True Randomness
True randomness is one of the main foundations of our digital world. Randomness might originally be associated with dice rolls or even lottery numbers, but it’s actually woven into our everyday lives.
Whether you are unlocking your car, securing your bank account, or even entering a one-time passcode for your Apple ID, random number generators help to keep things unpredictable, secure, and fair. Advanced number generators rely on physical processes as well, whether it is quantum fluctuations or radioactive decay.
Randomness is also highly regulated in iGaming and casinos. For those who have played online slots in the UK, it’s a known fact that the games themselves are powered by regulated random number generators that are tested to the point where it’s impossible to predict the outcome.
This makes games like Roaring Coins or Cash Chips fair. Randomness is also in places that people overlook. Weather patterns, the formation of a snowflake, and the veins on leaves are all somewhat random.
As randomness is so critical, it makes sense to assume that using high-tech AI to facilitate the random production of numbers is the way to go. With that said, systems designed to imitate human behaviour aren't inherently random, as human behaviour is already to some extent predictable. You can find out more about that on this US security website.
Cryptographic Generators are Recommended
Rather than using AI password generators, security experts recommend using cryptographic generators.
The main reason for this is that they rely on randomness at their core to generate results. LLMs, however, learn from human behavior, and even though the results they generate may look human on the surface, in reality, they are far from it. LLMs are incapable of generating true randomness as they are fundamentally predictive engines, and they generate text based on the probability of the next word or number based on the core data used.
Cryptographic key generators, on the other hand, create strings of structured numbers. They combine randomness with mathematical algorithms to either create symmetric keys or mathematically linked pairs to create data.
Security tests from a number of AI firms have shown that even though LLM-generated passwords, which are usually 16 characters long, look complex, the entropy rate is only 20 to 27 bits.
For reference, a random password has to be between 98 and 120 bits. Another issue is that if you ask an LLM to generate a password, the string is transmitted over the network to the model provider, and it may even be logged in the chat, meaning the password is compromised before it’s even used.
By avoiding this and by using random number generators instead, it becomes possible to safeguard your data while ensuring that you’re not compromising it unknowingly.