This study addresses the persistent tension between security and usability in user-created passwords, which often results in insufficient strength, while the efficacy and user acceptance of AI-generated passwords remain unclear. Through an eye-tracking experiment, the authors systematically compare user behavior during password creation, selection, and memorization across three AI models—DeepSeek-API, ChatGPT-API, and PassGPT—and a rule-based random generator. The work reveals, for the first time, a significant positive correlation between users’ visual attention to contextual cues and the entropy of the resulting passwords, demonstrating that human factors can enhance password security. Although AI-generated passwords exhibit objectively higher strength, participants consistently preferred self-created ones, offering a novel perspective for attention-driven secure password design.

Passwords remain the primary authentication method, yet user-created passwords are often the weakest due to the security-usability trade-off. Although AI-based password generators are emerging, little is known about their effectiveness and user perceptions. This eye-tracking study examined how behavior during password creation, selection, and memorization relates to objective and subjective password quality. Four password models, three AI-based (DeepSeek-API, ChatGPT-API, PassGPT) and one rule-based random generator, generated suggestions from participants' self-generated passwords across four website contexts. Eye movements were recorded throughout the experiment. Results confirm the expected trade-off between AI-generated password strength and human memorability but also reveal a novel behavioral link. Despite stronger AI-generated passwords, participants favored self-generated ones. Notably, visual attention to contextual cues was significantly correlated with higher password entropy. This suggests that security is shaped not only by the generation tool but also by users' visual engagement with contextual cues, highlighting the potential of attention-driven security design.