A password like G7$kL9#mQ2&xP4!w looks strong.
Every password checker rates it "excellent."
But researchers at Irregular just published something worth knowing: that exact string appeared 18 out of 50 times when Claude was asked to generate a password.
The reason: LLMs are prediction engines. They're optimized for plausibility, not randomness. Claude's passwords had ~27 bits of entropy. A truly random password has ~98.
Password checkers can't detect this. They see character variety. They can't see statistical distribution.
It gets worse for developers: Irregular also found AI coding agents hardcoding these patterns directly into Docker configs and .env files — without the developer knowing.
They found the patterns on GitHub.
Are you auditing AI-generated codebases for hardcoded credentials?
#CyberSecurity #PasswordSecurity #DevSecOps #AppSec
Author: T.O. Mercer
