Your Passwords Are Probably Screwed
S. E. Anderson
Your Passwords Are Probably Screwed
By Brett J. Goldstein
Mr. Goldstein is a professor at Vanderbilt University who specializes in cybersecurity and artificial intelligence
04.28.2026
Anthropic recently sent a shock wave through the cybersecurity world when it said its new artificial intelligence model, Claude Mythos, had exhibited an extraordinary ability to find previously unknown vulnerabilities in software — a hacker’s fantasy. Concern over the tool’s power caused Anthropic to restrict its release mainly to bigger companies, allowing them time to secure their software.
What is everyone else supposed to do? Smaller companies, organizations, nonprofits and regular people are just as much at risk as larger companies. But they most likely lack the skills and resources to address these challenges before their systems are compromised.
Many people may think these problems belong only to the world of cybersecurity experts or tech people, but that’s no longer true. New A.I. tools are going to increase how much insecure software you use in your day-to-day life, while giving attackers a new, powerful weapon to exploit vulnerabilities. If you’re still being careless about things like the strength of the passwords you choose, you’re in for a pretty bad time. If there was ever a time to finally take your cybersecurity practices seriously, it’s now.
I often give talks on cyberdefense to small groups. Inevitably, the conversation turns to personal concerns. Is this app OK? What should I do to protect my phone? Typically, I find a vulnerability for each person. One hasn’t installed bug fixes or security updates on their phone; another doesn’t use two-factor authentication on critical applications. Many have a dangerous app on their device. When confronted with the reality that they are at risk of attack, most insist that enjoyment and convenience outweigh the potential downsides.
That’s always been a dangerous miscalculation, but it’s worse now. We need to correct our behavior immediately and return to fundamentals. Though I’m exasperated that I keep repeating myself, the best advice is still what I would tell people at the beginning of my career: Use strong passwords that are unique across every site, preferably through a trusted password manager. Better yet, when a site offers a passkey, take it. A passkey lets you sign in with your face or fingerprint — no typed password that could be stolen by phishing. For accounts without passkeys, use an authenticator app for two-factor authentication, not text messages. Always keep all your software up to date, and uninstall unnecessary apps.
I would also add: Be wary of new and unproven software that’s recommended to you in your social media feeds. Avoid businesses and technologies that don’t make it abundantly clear that they prioritize your safety; be cautious about giving permission to access location, camera, Bluetooth networks, microphone and other features on your device to an app you’ve never heard of; never use a website if you get a security pop-up that warns you not to proceed. These actions are most likely the best things you can do personally to try to stay ahead of what is coming.
We know the risks of sloppy practices. Almost everyone knows someone who has been a victim of an online scam. Many more of us have had our personal information or passwords leaked online because of never-ending data breaches.
A.I. tools will be able to identify and exploit people — including you — at a scale unseen previously. It has been exciting to see my nontechnical friends using A.I. coding tools like Codex, Claude Code and Perplexity Computer to build and create things they have always wanted to build. Idea to execution is now measured in seconds, and there is a remarkable feeling of empowerment that comes with building something without a computer scientist or engineer. However, as people create more software, they are providing additional targets that new models like Mythos can attack. If you build it, they will come.
The good news is that those coding agents can write secure code. I see them doing it every day. But it usually happens only because someone knew to ask. It’s like hiring inexperienced contractors to build you a house: They might build what you describe, but if you don’t think to ask for locks on the doors or a fence around the yard, you might not get them. Like maintaining a home, keeping up with digital security across your software and devices is a constant process that you have to be proactive about.
But no amount of digital vigilance is going to be enough to change the near-term reality that individual people and small organizations are at a cybersecurity disadvantage. Large companies and enterprises will develop and implement more sophisticated A.I. defenses to counter the threat of the hour, but the general public draws the short straw for now — there is only so much people can do on their own.
I wholeheartedly believe that frontier A.I. companies and the federal government have a responsibility to help make this new landscape safe for all. We don’t build cars without brakes, and we don’t put drugs on the shelf without testing them for side effects. A.I. companies should be talking to one another, sharing information and coordinating action against new threats. The White House Office of the National Cyber Director should aggressively drive and organize those efforts, with a mandate and expanded scope provided by policymakers.
Technology can be frustrating and unsafe on a good day — and the good days are now behind us. Everyone, from governments to corporations to the person next door, has entered an era in which the ability to attack can often exceed our ability to defend. But while large companies have security teams, individuals are on their own. We will all have to make choices to keep ourselves safe. Choose wisely. ///
s. e. anderson
author of The Black Holocaust for Beginners
"If WORK was good for you, the rich would leave none for the poor." (Haiti)
--------------------------------------------