by Richard Farr

It’s a typical moment in 2026, rich with contradiction: up late one evening at the keyboard, your shallow irritation with unnervingly backward current tech is interrupted by deep panic about unnervingly advanced coming tech.
The official story is that Anthropic’s Mythos, latest brainchild of our fast-moving thing-breakers, is an AI so terrifyingly brilliant at hacking that on the very day it falls into the wrong hands (the “government” of Myanmar; a single teenage nose-picker with a laptop and a smirk in a basement in Chelyabinsk; the “government” of the United States in the person of one of The Don’s criminal besties) your bank account will vaporize, to be followed shortly by most of the world financial system.
You stare out of the window, distracted further from the quotidian task you were engaged in by the soothing thought that the Mythos “news” was nothing more than a brilliant piece of deathbed melodrama by an over-hyped company that’s going to exsanguinate unless it gets an infusion of billions, stat.
Then you stare some more, mulling the fact that the “marketing ploy theory” can only be a temporary comfort: next week, or next year, something like Mythos is going to make our current digital security systems, including our personal financial security systems, look even more heart-breakingly antique than — oh yes.
They already do.
What was the name of your first stuffed animal?
I have no idea.
All right, what is your maternal grandmother’s maiden name?
I don’t remember, but someone else could probably find out.
So what hospital were you born in?
I wasn’t.
Where was your father born?
No idea.
What was your own childhood nickname? Surely you must know that?
Sure I do, but I’m not going to tell you.
Perhaps you can remember your childhood phone number, including area code?
I grew up in a tiny village in England in the 1960s, when dinosaurs roamed the land, and our telephone number was North Cadbury 317. Yes, really. I suppose I could use that, but if you ask for the area code I’m stuffed.
Here’s an easier one. What street did you grow up on?
I didn’t. We lived in a stone cottage at the end of a lane with no other house in sight, surrounded by fields and sheep shit. In some ways it was idyllic.
Surely you can tell us the name of the first company you worked for?
No, I can’t. My first job was dispensing petrol, or gas, at a tiny rural car repair business. I was 15, which technically made it illegal to employ me. I was supposed to sit in a tiny cubicle between the two pumps. There was a metal stool, and a metal “desk” that was mostly taken up by the cash register, piles of oily rags, and back copies of the kind of magazine that explains how to install fog lamps on your 1967 Mini Cooper. I have never forgotten working there, because it was an encounter with boredom so punishing, so extreme, that after a couple of weeks I began to fantasise about setting fire to the place, escaping with only minor burns, and being arrested in a carnival of flashing lights. I have suppressed the name of the car repair business.
Well this should be easy: what was the name of your first boyfriend or girlfriend?
Do you want to know about the first girl I kissed, the first girl I was so mad about that I had trouble breathing, or the first girl with whom I had a serious relationship? How are we defining serious here? Should I be saying “woman” at this point? Would I be a better person if I did the romantic thing and told you I never even noticed that women exist until the day I met my wife? Would that depend on whether my wife would respond to this claim by slapping the table and hooting with sarcastic laughter?
Oh dear, we seem to be getting off topic, don’t we?
Sorry.
You do need to take this security stuff seriously.
Believe me, I’m trying.
So what about your favorite restaurant in college?
Restaurant? Are you kidding? I went to “uni” in a small, economically depressed town in the north of England. There was one bad Chinese restaurant and one very very bad pizza place. I almost never went to either of them, both because I had no money and because I don’t like feeling ill. I could say they were called The Iron Wok and Luigi’s, but actually I have no idea.
Favorite book, then?
I’m tempted to choose either Beatrix Potter’s The Tale of Peter Rabbit or Dostoievsky’s The Brothers Karamasov. But when you ask me the question years from now I will have forgotten what I said and will guess wrongly that I said “Italo Calvino’s If on a Winter’s Night a Traveler” — because that is after all the best-ever book title.
How about your favorite fictitious character?
Sorry to split hairs — or appear to be a stereotypical writer harboring snobbish prejudices about semi-literate techies, God forbid! — but shouldn’t that be “fictional”? Wouldn’t a fictitious character be one who isn’t a character in a real story but only in a story that’s itself fictional in that it exists only within a story? If so, I can’t think of an example. With fictional characters I have the opposite problem. Rosalind in As You Like It? Satan in Paradise Lost? Wilma Flintstone? It’s like the book title: when the time comes, there’s no chance I’ll remember who I picked, and then you will become suspicious and lock my account, and then the process of trying to persuade you to unlock it will make me think that I’ve woken in my bed after uneasy dreams to discover to my horror that I am now a fictional character, or a fictitious one, in The Security Question, a newly unearthed story by Kafka.
You just aren’t concentrating, are you?
I am, really I am. It’s just that this whole interaction is making me worry that you — an organization offering to look after my money — may have an “underlying security architecture” that depends on my ability to fax you a homing pigeon.
We assure you it does not!
Assure away. But I just looked at your password requirements, and they’re Babylonian. “A minimum of eight characters, including at least one upper case letter, one lower case letter, one number, and one special symbol?” To quote the great American philosopher John McEnroe, you cannot be serious!
These requirements are designed by IT professionals to make your password stronger.
They were designed by people who should have been fired at birth. Let’s call this kind of thing the COUNTERPRODUCTIVE REQUIRED ALPHANUMERIC PESTILENCE, because then we can call it CRAP for short. In the US, one of the organizations that exists to think carefully about this stuff is the Commerce Department’s National Institute of Standards and Technology (NIST). As your IT professionals should know, NIST has for years recommended that security systems cut the CRAP. It’s not only inconvenient; it pushes poor-to-OK passwords in the direction of really-bad, because the incidentive is irresistible to go as short as possible and then go as simple as possible by starting with a capital letter and ending with a 1 or a 9 and an exclamation mark. It also makes it impossible to either automatically generate a good password with a password manager or change out your password for a simple, user-friendly, highly secure passphrase.
Huh?
It’s been fifteen long years since Randall Monroe’s hymn to correct horse battery staple (here), in which he explained why simple natural language passphrases are so much more secure than complex CRAP passwords. In short: your eight-character this-and-that-and-the-other password is a royal pain, and checks out at about 72^8 = 1,000 trillion combinations — except that CRAP makes it much easier to crack than that raw number suggests. A simple five-word passphrase in friendly lowercase — blame walks mink chart sedge — is somewhere in the region of 10,000^5, which is 100,000 times better. In your system, I can’t use it.
We are doing many other things behind the scenes.
Did I mention how long it took you to implement 2FA? Or that you did it badly? Or that you made it pretty near impossible to use an authenticator app instead of SMS, so that the truth (which naturally you aren’t advertising) is that all you clients who do use an authenticator app could throw a dinner party in a shower stall?
No need to be rude. We are very careful with your data!
No rational person would believe this. There have been thousands of corporate-side data breaches in the last few years alone. That’s why every American’s Social Security number, mother’s maiden name, and preferred brand of underwear has their own Wikipedia page. Don’t tell me you’re different; show me; bet you can’t.
All your worries are being rendered irrelevant anyway. We are leapfrogging from passwords, right over passphrases, into the glorious new land of passkeys.
Try this. Ask a thousand clients to explain (a) what a passkey is, (b) how to use one, (c) whether they are confident that they understand why it’s more secure, and (d) whether they even remember whether or not they are in fact now using it. Now publish the results. Don’t want to? Didn’t think so. Passkeys will remain a mess so long as most people don’t understand what they are, why they work, or how to use them. Oh, I almost forgot: some organizations have implemented passkeys; you have not.
Changing legacy systems can be expensive and difficult.
American banks dithered and procrastinated for a decade about implementing European-style security for credit cards because it would be “expensive and difficult.” Not getting about a hundred times more serious about cybersecurity right now could be one way to make AI expensive and difficult beyond our wildest dreams.
Let’s go back to where we started and try this. Do you remember your grandfather’s occupation?
Yes! That’ll work. He was a research chemist. Also a passionate Wagner fan by the way. Did I tell you the story about how for his first date with my grandmother he pawned his watch to take her to Das Rheingold, and —
Thank you, thank you. Your account has been created. Now wire us all your money and take something strong that will help you to sleep.
