If your team is using ChatGPT or Copilot to draft emails and clean up reports, asking it for a strong password feels like a natural next step. Sixteen characters, mix of letters and numbers, throw in a couple symbols. Looks great.
Don’t do it. Especially not for any account that touches business data.
Security researchers at Irregular tested this in February 2026. They asked the major AI tools, including ChatGPT, Claude, and Gemini, to generate passwords. Fifty times each, in fresh conversations. The results looked strong at a glance. They were not. And for a business already short on time, this is exactly the kind of shortcut that quietly creates a security hole nobody notices until something goes wrong.
Why AI is bad at this specific job
A password is only as strong as it is unpredictable. That’s the whole game. Real password generators use what’s called a cryptographically secure random number generator, which is built specifically to produce output that nobody can predict.
AI works the opposite way. The technology behind ChatGPT, Copilot, Claude, and the rest is called a large language model. Its entire job is to predict what comes next based on patterns it learned from training data.
That’s exactly the wrong tool for generating passwords. Asking AI to be random is like asking a card counter to draw a random card. They can try, but their training pulls them toward patterns.
What the research found
In fifty runs asking Claude Opus 4.6 for a password, the same password came back eighteen times. Not similar passwords. The exact same one: G7$kL9#mQ2&xP4!w. That single password showed up in 36% of attempts.
Across all the models tested, passwords showed obvious patterns. They almost always started with the same few characters. Certain letters showed up in every single password while most of the alphabet never appeared. None of them had repeating characters, which sounds like a good thing but isn’t. Real randomness includes repetition. The absence of it is a giveaway that something rule-based is happening behind the scenes.
The trouble is that none of this shows up in an online password strength checker. Those tools look at length and character variety. They don’t see hidden patterns. So a password like G7$kL9#mQ2&xP4!w gets graded as taking centuries to crack, when in reality an attacker who knows it came from an AI is guessing from a much smaller pool than the password’s length suggests.
What to do for your business
Use a password manager. Every reputable one has a built-in generator that produces genuinely random passwords, and they store the passwords so nobody has to remember them.
For a business, the value of a password manager is not just stronger passwords. It is shared vaults so your team can access the accounts they need without anyone emailing credentials. Cleaner offboarding when an employee leaves. Better control over who has access to what. And fewer passwords living in browsers, spreadsheets, sticky notes, or someone’s memory. Those are the places real breaches start.
1Password, Bitwarden, Dashlane, and Keeper are all solid choices for a business. The business tiers are inexpensive compared to the cost of one breached account.
While you’re at it, turn on multi-factor authentication everywhere it’s offered. A strong password is the floor. MFA is what actually stops most account takeovers when a password does leak, which over time it will.
The takeaway
AI is genuinely useful for a lot of business work. Drafting, summarizing, brainstorming, coding help, customer support. Passwords are not on that list, and the convenience of asking a chat window for one isn’t worth what you’re giving up.
If you want to get your team onto a password manager, clean up shared access, and tighten account security, we can help. It is one of the highest-value security upgrades most businesses can make for the cost.