I Have Some Questions About Your Threat Model
A short note on the new password hygiene advice going around.
The passwords are still on OpenAI's servers. The opt-out is now a toggle in settings instead of a buried Google Form, which is progress in the way that moving a fire exit from behind a bookshelf to behind a regular door is progress. Free-tier ChatGPT still trains on your data by default.
Someone told me they've been running all their passwords through ChatGPT for feedback on strength.
I want to be careful here because I don't think this person is stupid. I think they've correctly identified that passwords are important, correctly identified that AI is good at evaluating things, and then connected those two observations in a way that is going to end very badly for them.
The passwords are now on OpenAI's servers. That's the whole story. Whatever ChatGPT says about uppercase letters and special characters — and it will say something confident and helpful — the passwords are on OpenAI's servers.
There is a version of this where it's fine. Maybe the passwords are for accounts that don't matter. Maybe nothing bad happens. Security is probabilistic and most people get away with most things most of the time. But "I typed my banking password into a third-party web service and asked it to analyze the string" is not a threat model, it's a trust fall over a canyon.
The feedback is also, presumably, correct. That's the part that makes it so elegant as a catastrophe. You came away with genuinely useful information about entropy and dictionary attacks, and you paid for it with the actual password. A perfect transaction in the wrong direction.
Use a password manager. Let the password manager generate the password. You don't get to see it, rate it, or have feelings about it. That's the feature.
Counterpoints
Push back, extend the argument, or sharpen it. New counterpoints go through review before they show up here.
No approved counterpoints yet.