In February 2026, researchers at Irregular published a detailed post about LLM-generated passwords, showing how passwords generated by LLMs follow notable patterns and are generally highly predictable. The root cause is fundamental: LLMs are optimized to predict probable outputs, which is the exact opposite of what secure password generation demands. That observation raised a natural follow-on question: if LLMs leave statistical fingerprints in the passwords they generate, can those fingerprints be detected and attributed? Can we look at a password found in a leaked dataset and say which model generated it? More importantly, can we measure how widely those LLM passwords are used in the wild? That is what this research set out to answer. Extending the perimeter We extended the scope of the analysis to 40 LLM models from 11 providers, including both closed-source (OpenAI GPT, Anthropic Claude, etc) and open-source (Qwen, DeepSeek, etc) models.…