If you needed a strong password right now, would you ask an AI tool to write one for you?
It's a fair question. Tools like ChatGPT and Copilot have quietly slipped into a lot of business owners' working days. They draft emails, summarise documents, tidy up rough notes, sketch out a piece of code. So asking one to generate a 16-character password full of symbols and numbers feels like a sensible shortcut.
It isn't. And understanding why matters more than you might think.
Researchers have put the major AI tools through their paces by asking them to generate secure passwords. On the surface, the results looked impressive. Long strings of upper and lower case letters, numbers, symbols - exactly what you'd expect a strong password to look like. Standard online password-strength checkers gave them top marks. A couple of tools even claimed the passwords would take centuries to crack.
When the same passwords were examined properly, a very different picture emerged.
The passwords contained repeating patterns. Some were near-duplicates of others generated in the same session. Many followed very similar structures. And almost none of them included repeating characters - which sounds like a good thing but is actually a red flag. Genuine randomness tends to include repetition. The absence of it suggests something more predictable is going on underneath.
Here's the thing about how AI works. Tools like ChatGPT are built on what's called a large language model. In plain English, that means the system has been trained on vast amounts of text and has learned to predict what should come next. It's extraordinarily good at producing output that looks natural and coherent.
What it isn't built to do is generate genuine randomness.
And strong passwords live or die on randomness.
The technical measure here is entropy - a way of quantifying how unpredictable a password is. A genuinely random 16-character password scores highly on entropy, which is what makes it resistant to attack. AI-generated passwords, despite looking complex, score well below where they should sit on this measure.
That gap matters because of how password attacks work in practice. Brute-force attacks don't try every possible combination in sequence - they use intelligent methods that exploit patterns and common structures. A password that looks complex but follows a predictable pattern is far more vulnerable than its appearance suggests.
The online checkers that gave those AI passwords top marks have no way of detecting this. They check for surface-level complexity - symbols, numbers, mixed case - but they can't spot the hidden structure underneath. The password looks strong. The checker says it's strong. But it isn't.
Some of the newer AI tools have started flagging this themselves. Ask one to generate a password for a sensitive account and you'll sometimes get a polite warning telling you not to use AI-generated credentials for anything important.
That should tell you something. When the tool generating the password tells you not to use it, it's worth listening.
A weak password isn't just a personal problem. In a business context, compromised credentials are one of the most common entry points for cyber attacks. Once an attacker has valid login details - whether through a brute-force attack, a credential-stuffing attempt, or a data breach from another service where the same password was reused - they often have access to far more than one account.
For owner-led businesses without a dedicated IT team, the risk is compounded. There's often no centralised visibility over who has access to what, no consistent policy on password creation, and no process for rotating credentials when someone leaves. Weak passwords are frequently the easiest problem to fix - and the one that gets overlooked.
The good news is that the solution is straightforward, affordable, and significantly less complicated than most business owners expect.
A dedicated password manager solves the problem that AI can't. The built-in generator in a reputable password manager uses cryptographic randomness - the mathematical equivalent of rolling proper dice, designed from the ground up to produce output that is genuinely unpredictable. It doesn't learn patterns. It doesn't follow structures. It rolls the dice properly, every single time.
Beyond password generation, a business password manager gives you:
For most small and medium businesses, the right password manager can be rolled out across a team in a single afternoon. The disruption is minimal. The protection is substantial.
AI is a genuinely useful productivity tool. It earns its keep across all sorts of jobs in a business - drafting, summarising, researching, structuring. Password creation just isn't one of them.
The core problem isn't that AI tools are trying to produce weak passwords. It's that generating true randomness is fundamentally at odds with what a language model is built to do. A language model predicts what should come next. A secure password needs to be impossible to predict. Those two things are in direct conflict.
Using a proper password manager with a built-in cryptographic generator is the right approach - and it's one of the simplest, most cost-effective security improvements most businesses can make.
Choosing the right password manager, configuring it correctly, and rolling it out without disrupting your team's working day is exactly the kind of thing we help owner-led businesses with.
If you'd like a straightforward conversation about your business's password security - no jargon, no sales pressure - get in touch with the Creavo team. We're always happy to start with an honest chat about where you are and what would actually make a difference.
Chris shares why getting the basics right with Cyber Essentials is a simple but powerful step to protect your business, build trust, and stay one step ahead of cyber threats.
In this article, Tom explores how the right technology can remove daily frustrations, boost productivity, and help your team do their best work with confidence.
