Every year, the first Thursday of May marks World Password Day, a global reminder to take stock of the most fundamental element of online security: your password. As South Africa faces increasing cyber threats and more people turn to artificial intelligence (AI) to simplify digital life, many are asking: can AI help create stronger passwords? The short answer, according to new research, is: not yet.
AI: your new password assistant, or a potential cybersecurity risk?
Password security has never been more critical. In an age where cloud computing, e-commerce, remote work, and digital banking dominate the South African landscape, a weak password is a golden key for cybercriminals. With the rapid rise of tools like ChatGPT and other large language models (LLMs), users are exploring these AI systems not just for productivity but also for security tasks like password generation. But while these tools are impressive in many ways, they may not be as reliable as we think, especially when it comes to protecting our digital identities.
Kaspersky’s test: when AI falls short on password protection
Recently, Alexey Antonov, Data Science Team Lead at global cybersecurity leader Kaspersky, conducted an experiment to test just how secure AI-generated passwords really are. He asked several popular AI models—including OpenAI’s ChatGPT, Meta’s Llama, and China’s emerging DeepSeek—to generate 1,000 passwords each. While all the models claimed to understand the criteria for a strong password, including length, special characters, and the mix of uppercase and lowercase letters, the actual results told a different story.
“All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords,” says Antonov. “In practice, though, the algorithms often neglected to insert a special character or digits into the password: 26% of passwords for ChatGPT, 32% for Llama and 29% for DeepSeek. While DeepSeek and Llama sometimes generated passwords shorter than 12 characters.”
This data points to a troubling gap between theory and practice. These AI models understand what a secure password looks like, but they frequently fail to deliver on those standards. For South African users and businesses increasingly relying on digital tools, this inconsistency could have serious consequences.
Cybersecurity in South Africa: why strong passwords matter
South Africa is no stranger to cyber threats. In recent years, the country has seen a surge in ransomware attacks, data breaches, and phishing scams. With internet penetration rising and more personal and financial data being shared online, the risks are growing. According to the IBM Cost of a Data Breach Report, the average cost of a data breach in South Africa now exceeds R50 million. In most of these cases, the root cause is simple: compromised or weak credentials.
Despite this, many individuals continue to use common or recycled passwords like “123456” or “password1”. The rise of AI-powered password generation seems like an easy fix, but as the Kaspersky research shows, the solution may not be foolproof. In fact, relying on AI-generated passwords might even offer a false sense of security.
Why AI still struggles to master cybersecurity basics
One of the reasons for this failure lies in how language models work. Tools like ChatGPT or Llama are not designed with cybersecurity in mind. They are trained on vast amounts of text data and are excellent at generating human-like language but not necessarily at consistently applying security rules. They may “understand” the idea of strong passwords conceptually but lack the discipline and precision of dedicated password management software.
Smarter, not weaker: how to build better password habits in 2025
So, what should South African users do this World Password Day?
First, avoid turning to AI models for password generation, at least until the technology is fine-tuned for this purpose. Instead, use trusted password managers that are specifically built to generate and store secure credentials. These tools create truly random passwords that follow all the best practices without the guesswork.
Another effective strategy is using passphrases instead of traditional passwords. A passphrase made up of unrelated words or a memorable sentence—like CoffeeTableSunshine$7Train—can be just as secure as a random string of characters and much easier to remember. The key is to ensure the phrase is long (ideally over 12 characters), unpredictable, and includes a mix of character types.
Enabling Multi-Factor Authentication (MFA) is also critical. Even if a hacker obtains your password, MFA adds a second layer of protection, often a one-time code sent to your phone or email that drastically reduces the chances of unauthorised access.
Don’t just trust tech—train your people too
For businesses, employee training is just as important as technology. Many breaches happen not because of complex hacks but due to human error. Regular awareness campaigns about phishing, social engineering, and secure password practices can go a long way toward reducing vulnerabilities.
It’s also worth revisiting password policies within companies. Are employees forced to change passwords regularly without guidance on how to create strong ones? Are systems in place to detect unusual login activity? These are questions every South African organisation should be asking, not just on World Password Day, but year-round.
Ultimately, the promise of AI is enormous, but when it comes to something as sensitive as password security, we’re not there yet. AI tools like ChatGPT are powerful assistants, but they are no substitute for dedicated security software and smart habits. As we embrace AI across all sectors, from banking and insurance to education and e-commerce, it’s vital to recognise its limitations and use it responsibly.
This World Password Day 2025, rethink your digital hygiene, revisit your password strategy, and reinforce the first line of defence in your online life. Because these days a strong password isn’t just a recommendation; it’s a necessity.
