On World Password Day, cybersecurity experts are urging both businesses and individual users to reconsider their approach to online authentication, warning that current practices – from password sharing to the increasing use of artificial intelligence-generated credentials – could be undermining overall digital security.
Ryan Sydor, Area Vice President at Okta Canada, highlighted a critical yet frequently neglected security risk in organisational environments: password sharing. "Password sharing may seem harmless, but it's one of the most overlooked risks in organisational security. The average Okta customer in Canada has over 70 different apps, and when employees pass around login credentials, it's easy to lose track of who has access," Sydor said.
Sydor believes World Password Day presents an opportunity not simply for better password practices, but for a fundamental shift towards more secure forms of authentication. "This World Password Day is an opportunity to get rid of passwords entirely. Passwordless authentication is a fundamental shift in how organisations manage identity and access. It's faster, more secure, and critical for protecting the business from the risks tied to outdated login practices," he asserted.
While passwordless solutions, such as biometric authentication or multi-factor logins, are gaining ground, passwords remain the primary line of defence for most online services. The proliferation of passwords, however, leads to poor management habits, including password reuse, using easily guessable combinations, and, increasingly, turning to artificial intelligence tools for help.
Experts from Kaspersky have sounded a cautionary note against this new trend: relying on popular AI models—such as ChatGPT, Llama, or DeepSeek—to generate supposedly secure passwords. According to their research, such passwords, while seemingly random and complex, often contain hidden patterns that make them susceptible to attack.
Alexey Antonov, Data Science Team Lead at Kaspersky, analysed 1,000 passwords generated by each of the major large language models (LLMs). The findings were stark: "Up to 88% of passwords from DeepSeek and 87% from Llama failed Kaspersky's strength tests. Even ChatGPT produced passwords where a third were still weak." Antonov explained that the root cause lies in the AI models' reliance on patterns derived from their training data, rather than truly random character generation.
Antonov provided concrete examples, noting that certain AI models frequently substitute letters with similar-looking numbers or characters, a common trick that is easily anticipated by cybercriminals employing brute-force techniques. In some cases, the models repeatedly produced passwords such as "P@ssw0rd" or included discernible favourites in symbolism and letter choice, reducing their resistance to targeted attacks.
Another issue identified was the omission of necessary security elements: 26% of passwords from ChatGPT, 32% from Llama, and 29% from DeepSeek lacked special characters or digits. Some passwords even failed to meet the commonly recommended minimum length of 12 characters. Testing these AI-generated credentials with machine learning tools, Kaspersky found that nearly 60% could be cracked in under an hour using modern password-cracking hardware or cloud-based resources.
Given these vulnerabilities, Kaspersky strongly advises against using large language models for password generation. Instead, the firm recommends deploying dedicated password management software. These tools employ cryptographically strong password generators and store credentials in encrypted vaults, guarded by a master password.
Such password managers not only ensure the generation of truly random passwords, but also simplify the process for users, offering features like auto-fill, synchronisation across devices, and breach monitoring. These measures collectively reduce reliance on memory and lower the risk of routine password reuse.
Sydor's call to move beyond passwords altogether is echoed by broader industry trends towards comprehensive identity management. However, as most users continue to navigate a password-heavy landscape, diligence in password management remains paramount, whether for individual accounts or within the complex IT ecosystems of organisations.
As digital threats continue to evolve, the consensus among cybersecurity professionals is clear: shortcuts—whether sharing credentials or leveraging AI for instant solutions—do not compensate for proper security hygiene. Adopting unique, robust credentials for every account, and considering the move to passwordless technologies where feasible, is essential to fortifying digital defences in an increasingly interconnected world.
