AI Is Getting Better At Finding Security Holes. Here's What Normal People Need To Do.

What does that mean in normal-person English?

Think of software like a house.

Your phone is a house.

Your email account is a house.

Your Facebook account is a house.

Your bank login is a house.

Your website is a house.

Your Google Business Profile is a house.

Your domain account is a house.

For years, a lot of those houses had tiny cracks in the windows, loose locks, or hidden back doors nobody had found yet.

Now AI is getting really good at finding those cracks.

That's the scary part.

Not because everyone is doomed.

Because the people with weak passwords, reused passwords, old devices, and no real login protection are the easiest targets.

Hackers usually don't need to be geniuses.

They just need you to be lazy.

The biggest mistake people make with cybersecurity

A lot of people think cybersecurity means antivirus software.

That's outdated thinking.

Antivirus can help, but most people don't get hacked because some movie-villain hacker broke through twelve firewalls while wearing a hoodie.

They get hacked because of boring stuff:

• They reused the same password everywhere.
• They clicked a fake login link.
• They typed a code into a fake website.
• They ignored software updates for six months.
• They used text-message codes and thought that meant they were fully protected.
• They let their email account become the master key to their entire life.

Is 2FA enough?

Sometimes.

But this is where people get confused.

2FA means two-factor authentication. That's when a website asks for your password plus something else, like a code, app approval, fingerprint, or security key.

That sounds simple, but not all 2FA is equally safe.

Here's the plain-English version.

Best: passkeys or hardware security keys

This is the strongest option for most people.

A passkey lets you log in using your device, Face ID, fingerprint, PIN, or password manager. It's much harder for a fake website to steal because there isn't a normal password code for you to type into a scam page.

A hardware security key is a physical key, like a YubiKey, that you plug in or tap to prove it's really you.

This is the "real lock on the door" version of account security.

Use this for your most important accounts when available:

• Email
• Banking
• Password manager
• Google account
• Apple account
• Microsoft account
• Facebook account
• Website hosting
• Domain registrar
• Payment processor
• Accounting software

Good: authenticator apps

Authenticator apps are things like:

• Google Authenticator
• Microsoft Authenticator
• 1Password
• Bitwarden
• Authy

Better than nothing: text-message codes

Text-message codes are the weakest common version of 2FA.

They're still better than having nothing, but they're not the best choice.

Why?

Because phone numbers can be attacked. Scammers can try SIM swapping, phone-number porting, phishing, or other tricks to get those codes.

Even NIST's current digital identity guidance says OTP authentication is not phishing-resistant. OTP means one-time passcode, which includes those short-lived login codes people use all the time.

So if text-message codes are your only option, use them.

But if a site offers passkeys or an authenticator app, use that instead.

The security ranking, without the tech lecture

Here's the order:

• Best: passkeys or hardware security keys.
• Good: authenticator app codes.
• Okay: text-message codes.
• Bad: password only.
• Terrible: same password on multiple accounts.

What should normal people do right now?

Start with these.

1. Use a password manager

Stop trying to remember every password.

That's how people end up using the same password for Facebook, Gmail, Netflix, QuickBooks, and their bank.

Use a password manager like 1Password, Bitwarden, iCloud Passwords, Google Password Manager, or another reputable option.

The goal is simple:

• Every account gets its own password.
• Every password is long and random.
• You only need to remember the password for the password manager.

2. Lock down your email first

Your email account is the master key.

Start there.

Turn on the strongest login protection available:

• Passkey if possible.
• Security key if possible.
• Authenticator app if passkeys aren't available.
• Text-message code only if that's the only option.

3. Turn on 2FA for your important accounts

Start with:

• Email
• Banking
• Facebook
• Instagram
• Google
• Apple
• Microsoft
• Amazon
• Password manager
• Website hosting
• Domain registrar
• QuickBooks or accounting software
• Stripe, Square, PayPal, or payment accounts

4. Stop clicking login links from emails

This one matters.

If you get an email saying "your account has been locked," don't click the button.

• Open your browser yourself.
• Type in the website yourself.
• Log in from there.

5. Update your devices

Updates are annoying.

Do them anyway.

A lot of updates fix security holes.

Your phone, computer, browser, apps, website plugins, and business software should not be months behind.

That little "remind me tomorrow" button is not a cybersecurity strategy.

6. Back up important files

If your computer gets stolen, hacked, fried, or locked by ransomware, your backup is what saves you.

Use cloud backup, external backup, or both.

Business owners should be especially serious about this.

Client files, invoices, contracts, brand assets, tax documents, website files, and logins should not live in one fragile place.

7. Never approve a login you didn't start

If your phone pops up asking you to approve a login and you weren't logging in, hit no.

Do not approve it just to make the notification go away.

That's like hearing someone jiggle your front door and opening it because the noise annoyed you.

What should small business owners do differently?

Small business owners need to take this more seriously than regular people.

Because a hacked personal Facebook account is annoying.

A hacked business account can cost money.

A hacked Google Business Profile can kill leads.

A hacked domain account can take down your website.

A hacked email account can lead to fake invoices, stolen payments, exposed customer info, and a giant mess you get to clean up while still trying to run the business.

Here are the accounts business owners should protect first:

So should we be scared?

No.

But you should stop being casual.

AI is making security flaws easier to find. Anthropic's Project Glasswing is already giving selected organizations access to Mythos Preview to help find and fix vulnerabilities in major systems.

That's the good side.

The bad side is obvious: attackers will keep getting better tools too.

So the answer isn't panic.

The answer is basic security hygiene that should've already been done.

• Use a password manager.
• Use different passwords.
• Turn on passkeys where you can.
• Use an authenticator app when passkeys aren't available.
• Don't rely on text-message codes unless you have no better option.
• Update your devices.
• Back up your files.
• Protect your email like it controls your entire life, because it basically does.

For small business owners

If you own a small business and don't know whether your website, Google account, domain, or marketing accounts are protected properly, start there. Those are the accounts that affect leads, money, trust, and whether your business looks alive online.

Sources

Source labels referenced for this article:

• Anthropic: Claude Mythos Preview
• Anthropic: Project Glasswing
• CISA: Phishing-resistant MFA
• NIST: Digital Identity Guidelines