Latest news with #AlexeyAntonov
Techday NZ
07-05-2025
- Techday NZ
Kaspersky warns AI-generated passwords expose users to attacks
Kaspersky has issued a warning regarding the use of large language models (LLMs) such as ChatGPT, Llama, and DeepSeek for password generation, citing unpredictable security weaknesses that could make users vulnerable to cyberattacks. The increased prevalence of online accounts has led to a surge in password re-use and reliance on predictable combinations of names, dictionary words, and numbers. According to Kaspersky, many people are seeking shortcuts by using AI-based tools like LLMs to create passwords, assuming that AI-generated strings offer superior security due to their apparent randomness. However, concerns have been raised over the actual strength of these passwords. Alexey Antonov, Data Science Team Lead at Kaspersky, examined passwords produced by ChatGPT, Llama, and DeepSeek and discovered notable patterns that could compromise their integrity. "All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords," says Antonov. Antonov observed that DeepSeek and Llama sometimes produced passwords utilising dictionary words with letters swapped for similarly-shaped numbers, such as S@d0w12, M@n@go3, and B@n@n@7 for DeepSeek, and K5yB0a8dS8 and S1mP1eL1on for Llama. He noted: "Both of these models like to generate the password 'password': P@ssw0rd, P@ssw0rd!23 (DeepSeek), P@ssw0rd1, P@ssw0rdV (Llama). Needless to say, such passwords are not safe." He explained that the technique of substituting certain letters with numbers, while appearing to increase complexity, is well-known among cybercriminals and can be easily breached using brute force methods. According to Antonov, ChatGPT produces passwords which initially appear random, such as qLUx@^9Wp#YZ, LU#@^9WpYqxZ and YLU@x#Wp9q^Z, yet further analysis reveals telling consistencies. "However, if you look closely, you can see patterns. For example, the number 9 is often encountered," Antonov said. Examining 1,000 passwords generated by ChatGPT, he found that certain characters, such as x, p, l and L, appeared with much higher frequency, which is inconsistent with true randomness. Similar patterns were observed for Llama, which favoured the # symbol and particular letters. DeepSeek showed comparable tendencies in password generation habits. "This doesn't look like random letters at all," Antonov commented when reviewing the symbol and character distributions. Moreover, the LLMs often failed to include special characters or digits in a significant portion of passwords: 26% of ChatGPT passwords, 32% for Llama, and 29% for DeepSeek were affected. DeepSeek and Llama occasionally generated passwords that were shorter than the 12-character minimum generally recommended for security. These weaknesses, including pronounced character patterns and inconsistent composition, potentially enable cybercriminals to target common combinations more efficiently, increasing the likelihood of successful brute force attacks. Antonov referenced the findings of a machine learning algorithm he developed in 2024 to assess password strength, stating that almost 60% of all tested passwords could be deciphered in under an hour using contemporary GPUs or cloud-based cracking services. When applying similar tests to AI-generated passwords, the results were concerning: "88% of DeepSeek and 87% of Llama generated passwords were not strong enough to withstand attack from sophisticated cyber criminals. While ChatGPT did a little better with 33% of passwords not strong enough to pass the Kaspersky test." Addressing the core problem, Antonov remarked, "The problem is LLMs don't create true randomness. Instead, they mimic patterns from existing data, making their outputs predictable to attackers who understand how these models work, notes Antonov" In light of these findings, Kaspersky recommends individuals and organisations use dedicated password management software instead of relying on LLMs. According to Kaspersky, dedicated password managers employ cryptographically secure generators, providing randomness with no detectable patterns and storing credentials safely in encrypted vaults accessible via a single master password. Password management software, Kaspersky notes, often provides additional features such as auto-fill, device synchronisation, and breach monitoring to alert users should their credentials appear in data leaks. These measures aim to reduce the risk of credential theft and the impact of data breaches by encouraging strong, unique passwords for each service. Kaspersky emphasised that while AI is useful for numerous applications, password creation is not among them due to its tendency to generate predictable, pattern-based outputs. The company underlines the need to use reputable password managers as a first line of defence in maintaining account security and privacy in the digital era.
Malay Mail
06-05-2025
- Malay Mail
Should you use passwords by ChatGPT, Deepseek and Llama? Here's what you need to know
KUALA LUMPUR, May 6 — Generative AI is super useful but should you rely on these tools to generate passwords? In conjunction with World Password Day, Kaspersky has analysed 1,000 passwords generated with various AI tools including ChatGPT, DeepSeek and Llama to find out if they are any good in keeping your logins safe. As a general rule of thumb, you should avoid reusing the same password across multiple accounts as attackers can reuse the same password to gain access to other platforms. While it is tempting to use AI to generate random passwords, it turns out that the supposed random passwords aren't as random as you think. AI-generated passwords don't offer True Randomness Kaspersky's Data Science Team Lead, Alexey Antonov, had generated 1,000 passwords using the top large language models (LLMs) such as OpenAI's ChatGPT, Meta's Llama and China's DeepSeek. On the surface, the LLMs seem to be aware that a good password requires at least 12 characters with a mixture of uppercase and lowercase letters, numbers and symbols. DeepSeek and Llama tend to generate passwords using dictionary words with some letters substituted for characters such as S@d0w12, M@n@go3, B@n@n@7 (DeepSeek), K5yB0a8dS8 and S1mP1eL1on (Lllama). These passwords are deemed unsafe as the trick of substituting letters is known and they are not difficult to brute force. On the surface, ChatGPT seems to be better as it is able to generate more random-looking passwords such as qLUx@^9Wp#YZ, YLU@x#Wp9q^Z , P@zq^XWLY#v9 and X@9pYWq^#Lzv. However, if you look closer, there's a noticeable pattern where certain characters are used repeatedly such as X, p and 9. When all symbols used in the 1000 ChatGPT-generated passwords are illustrated in a histogram, it becomes clear that a small cluster of top 13 characters (x,p, I, L, q, y, @, v, w, X, Y, 9, #) are showing significantly higher frequency of over 700 times. This means the majority of passwords generated aren't as random as one would hoped for. Llama seems to show slightly better 'randomness' with only top 2 characters appearing more than 500 times, while DeepSeek' seems to be the best among the three with the most balanced-looking histogram for character frequency. What makes a good password? According to Kaspersky, an ideal random password generator should not have any character preference. All symbols and characters should appear approximately the same number of times. In addition, a good password should also include a special character or digits, which are often neglected by ChatGPT (26 per cent), Llama (32 per cent) and DeepSeek (29 per cent). Another concern is that DeekSeek and Llama sometimes tend to generate a password that's too short, with less than 12 characters. With the known password generated pattern as illustrated above, cyber criminals can speed up their password brute force attempts by starting with the most frequent combinations for a higher probability of success. Last year, Antonov developed a machine learning algorithm to test password strength and it was found that nearly 60 per cent of passwords can be cracked within an hour using modern GPUs or cloud-based cracking tools. When he applied the same algorithm for AI-generated passwords, he discovered that these passwords were far less secure. Eighty-eight per cent of DeepSeek and 87 per cent of Llama generated passwords were not strong enough to withstand a sophisticated cyber attack. Meanwhile, ChatGPT did performed better with 33 per cent of generated passwords deemed not strong enough to pass the Kaspersky test. Antonov added that the problem with LLMs is that they don't create true randomness. Instead, they mimic patterns from existing data, which makes these password outputs predictable to attackers who understands how these models work. Instead of using AI, Kaspersky recommends users to adopt dedicated password management software which include Kaspersky's Password Manager to generate and manage all of your passwords. Password managers use cryptographically secure generators to create passwords without detectable patterns to ensure true randomness. On top of that, all credentials are stored in a secured vault protected by a single master password. As a result, you would only need to remember one password for the vault, instead of having to remember hundreds of passwords for various platforms. For greater convenience, password managers also offer auto-fill and synchronisation across multiple platforms. Not only it helps to streamline the login process on all your devices without compromising on security but it also alerts you of potential data leak if one of your registered platforms has faced a data breach. — SoyaCincau
