In a world that is increasingly connected and online, people have a desire to protect themselves and their assets. However, figuring out how to do this is very difficult in an overwhelmingly technical and rapidly advancing field. Hundreds of articles, company trainings, and social media posts attempt to offer guidance, but that adds to the confusion. Even with the best of intentions, this creates a number of myths and misconceptions about staying safe online. Let’s debunk some of the top ones: The Best Passwords are Complex Passwords The most secure passwords are 20 characters long and contain lowercase and uppercase letters, lots of numbers, and a few special characters sprinkled in, right? Right? Technically speaking, yes. Adding length and increasing the number of possible characters will slow down password guessing attacks. But when it comes to the human element, absolutely not. A password is only as secure as its uniqueness. Let’s say I choose a complex password that would take an unreasonable amount of time to brute force. Since it’s such a great password, I’m going to use it for all my accounts. Lucky for hackers, brute forcing isn’t the only method for getting my password. If my credentials are included in a breach, it will only be a short while before my other accounts are compromised too. Password stuffing, or attempting to compromise a user’s account by trying leaked credentials from another account, has been identified as the culprit behind many account breaches, including the of countless Disney+ users following the streaming site’s 2019 launch. lockout Given that the average person has close to , it is no surprise that an estimated reuse at least some of them. When your complex password is hard to remember in the first place, the last thing you want to do is have to remember more of them. 100 passwords 60% The best advice here is to use a password manager and secure it with a and multi-factor authentication (MFA). Instead of remembering tens of passwords, you only need to remember one set of credentials. However, don’t use a password (especially not one you’ve used before), use a passphrase. A passphrase is a combination of several words that make sense to you, but that would be difficult for an attacker could guess. Since it shouldn’t be easy to guess, don’t use things that you’ve posted online like your children’s names. A reference to an inside joke or your deepest secret is probably a good bet. Adding MFA on top of that means that even if someone guess your password, they won’t get access to your password manager without the second code. passphrase does Your Passwords Will Be Stolen if You Write Them Down Following on the previous myth and a secure alternative, I have to admit to a rather controversial opinion: it is perfectly okay to use a paper password manager such as a in cases where users are averse to digital password managers. password journal Yes, your password may get stolen by coworkers, family, or visitors if you write down your password and keep it in open sight, like on a sticky note on your desk. However, if we consider that the largest risk surrounding passwords comes from online attackers, a solution that enables users to use unique passwords for each account is a better defense against password stuffing attacks than using the same couple passwords for all your accounts. Of course, a digital password manager is ideal, but for people who are less technically inclined, a password journal serves as adequate protection. If there’s a concern that a co-worker or family member may steal your journal, securing it in a locked cabinet is a good idea. Ultimately, in the tradeoff between password reuse and the chances of someone stealing a password notebook, password reuse is the greatest risk for most users. A solution that can help prevent that while not advertising your password to your whole office is a pretty worthwhile concession in my book. VPNs Protect You From Hackers I see at least one advertisement a week claiming that using a consumer VPN protects you from hackers stealing your passwords when you log into an account while on public WiFi, and every time I shake my head in disappointment. With of browsing on Google Chrome happening over HTTPS, it is no longer a simple task for a hacker to grab your credentials over public WiFi. Unless a network is using proxy certificates to decrypt and inspect traffic (which requires an effort to configure, but is not uncommon in corporate networks), a VPN likely won’t do you much good on the security front. 99% This is not to say that VPNs aren’t beneficial in any way. VPNs add a level of privacy, hiding your browsing activity from your ISP and preventing trackers that use IP address for verification. However, you will still be subject to tracking from websites’ cookies. Not to mention, the privacy claims are only as good as the VPN’s logging practices (or, ideally, lack thereof). Finally, there is the not often advertised but most common use case for VPNs: bypassing geographic restrictions on media access. This is a trick known by those who may want to stream a TV show only available in another country due to licensing rules. While this still works with many sites, streaming giants like Netflix have wised up to this technique and seek to restrict this trick by blocking known VPN IP addresses. VPNs still have their uses, particularly in unique cases, but claiming that unless you use a VPN, hackers can easily snoop on your browsing and steal your passwords is incredibly outdated and overall bad practice. Sites Using HTTPS Are Trustworthy Now that we’ve mentioned HTTPS, a common piece of advice is that before logging into a website or entering sensitive information, you should check that the site is using HTTPS (sometimes this advice takes the form of “look for the green lock icon in the address bar). This is a solid piece of guidance – I would be incredibly wary if my bank login was not happening over an encrypted connection. Although this guidance only instructs users not to trust sites that don’t use HTTPS, users may assume that the inverse is also true: you can trust any site that uses HTTPS. For the purposes of debunking this myth*, all that HTTPS means is that the connection between your browser and the web server is encrypted, ensuring that others who intercept your traffic can’t decipher or modify the contents. This doesn’t mean that HTTPS isn’t important, rather the opposite; the widespread adoption of HTTPS ensures the integrity and security of site traffic. With such widespread adoption of the technology, any site without this feature is immediately suspect. Recognizing this, cyber criminals have upped their game: as of early 2022, almost of phishing sites used HTTPS. Because users know that HTTPS is a sign of a site’s security, a phishing site using HTTPS seems significantly more trustworthy and less likely to arouse suspicion. three quarters While we absolutely should not trust sites that do not use HTTPS, we need to remind users that HTTPS doesn’t mean a site is , it only means that the connection is secure. safe Aside from encrypted communications, the HTTPS protocol also verifies the site’s origin server using the site’s SSL certificate, granted by a third-party certificate authority. However, that goes a bit beyond what we need here. Reviewing these myths and misconceptions, we see how nuanced cybersecurity is. Our four myths aren’t very far from the truth, and may have even been accurate advice five to ten years ago. However, in a world where an attacker can steal your password by sending you to a website with just one letter changed in its spelling, every detail matters.

This story contains new, firsthand information uncovered by the writer.

Disney

Google

Cybersecurity Myth-Perceptions

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Awareness Is Not Understanding: The Missing Link in Cybersecurity Awareness Campaigns

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

Awareness Is Not Understanding: The Missing Link in Cybersecurity Awareness Campaigns

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps