kottke.org1d ago
“LLM-generated passwords…appear strong, but are fundamentally insecure, because LLMs are designed to predict tokens – the opposite of securely and uniformly sampling random characters.” https://www.irregular.com/publications/vibe-password-generation
Vibe Password Generation: Predictable by Design - Irregular

LLM-generated passwords appear strong, but are fundamentally insecure. Testing across GPT, Claude, and Gemini revealed highly predictable patterns: repeated passwords across runs, skewed character distributions, and dramatically lower entropy than expected. Coding agents compound the problem by sometimes preferring and using LLM-generated passwords without the user’s knowledge. We recommend avoiding LLM-generated passwords and directing both models and coding agents to use secure password generation methods instead.

Show threadAsh_Crow

@kottke "Furthermore, with the recent surge in popularity of coding agents and vibe-coding tools, people are increasingly developing software without looking at the code. We’ve seen that these coding agents are prone to using LLM-generated passwords without the developer’s knowledge or choice."

I mean, not looking at the code is certainly a choice.

Apr 2 at 1:42amTusky
Show threadCurioso 🍉 🇺🇦 (jgg)1d ago

@Ash_Crow @kottke

A choice I suspect most of people makes taking the easiest path.

The fast, easy, but not better path.