In a world that is increasingly connected and online, people have a desire to protect themselves and their assets. However, figuring out how to do this is very difficult in an overwhelmingly technical and rapidly advancing field. Hundreds of articles, company trainings, and social media posts attempt to offer guidance, but that adds to the confusion. Even with the best of intentions, this creates a number of myths and misconceptions about staying safe online. Let’s debunk some of the top ones:
The most secure passwords are 20 characters long and contain lowercase and uppercase letters, lots of numbers, and a few special characters sprinkled in, right? Right?
Technically speaking, yes. Adding length and increasing the number of possible characters will slow down password guessing attacks. But when it comes to the human element, absolutely not. A password is only as secure as its uniqueness.
Let’s say I choose a complex password that would take an unreasonable amount of time to brute force. Since it’s such a great password, I’m going to use it for all my accounts. Lucky for hackers, brute forcing isn’t the only method for getting my password. If my credentials are included in a breach, it will only be a short while before my other accounts are compromised too. Password stuffing, or attempting to compromise a user’s account by trying leaked credentials from another account, has been identified as the culprit behind many account breaches, including the lockout of countless Disney+ users following the streaming site’s 2019 launch.
Given that the average person has close to 100 passwords, it is no surprise that an estimated 60% reuse at least some of them. When your complex password is hard to remember in the first place, the last thing you want to do is have to remember more of them.
The best advice here is to use a password manager and secure it with a passphrase and multi-factor authentication (MFA). Instead of remembering tens of passwords, you only need to remember one set of credentials. However, don’t use a password (especially not one you’ve used before), use a passphrase. A passphrase is a combination of several words that make sense to you, but that would be difficult for an attacker could guess. Since it shouldn’t be easy to guess, don’t use things that you’ve posted online like your children’s names. A reference to an inside joke or your deepest secret is probably a good bet. Adding MFA on top of that means that even if someone does guess your password, they won’t get access to your password manager without the second code.
Following on the previous myth and a secure alternative, I have to admit to a rather controversial opinion: it is perfectly okay to use a paper password manager such as a password journal in cases where users are averse to digital password managers.
Yes, your password may get stolen by coworkers, family, or visitors if you write down your password and keep it in open sight, like on a sticky note on your desk.
However, if we consider that the largest risk surrounding passwords comes from online attackers, a solution that enables users to use unique passwords for each account is a better defense against password stuffing attacks than using the same couple passwords for all your accounts.
Of course, a digital password manager is ideal, but for people who are less technically inclined, a password journal serves as adequate protection. If there’s a concern that a co-worker or family member may steal your journal, securing it in a locked cabinet is a good idea.
Ultimately, in the tradeoff between password reuse and the chances of someone stealing a password notebook, password reuse is the greatest risk for most users. A solution that can help prevent that while not advertising your password to your whole office is a pretty worthwhile concession in my book.
I see at least one advertisement a week claiming that using a consumer VPN protects you from hackers stealing your passwords when you log into an account while on public WiFi, and every time I shake my head in disappointment. With 99% of browsing on Google Chrome happening over HTTPS, it is no longer a simple task for a hacker to grab your credentials over public WiFi. Unless a network is using proxy certificates to decrypt and inspect traffic (which requires an effort to configure, but is not uncommon in corporate networks), a VPN likely won’t do you much good on the security front.
This is not to say that VPNs aren’t beneficial in any way. VPNs add a level of privacy, hiding your browsing activity from your ISP and preventing trackers that use IP address for verification. However, you will still be subject to tracking from websites’ cookies. Not to mention, the privacy claims are only as good as the VPN’s logging practices (or, ideally, lack thereof).
Finally, there is the not often advertised but most common use case for VPNs: bypassing geographic restrictions on media access. This is a trick known by those who may want to stream a TV show only available in another country due to licensing rules. While this still works with many sites, streaming giants like Netflix have wised up to this technique and seek to restrict this trick by blocking known VPN IP addresses.
VPNs still have their uses, particularly in unique cases, but claiming that unless you use a VPN, hackers can easily snoop on your browsing and steal your passwords is incredibly outdated and overall bad practice.
Now that we’ve mentioned HTTPS, a common piece of advice is that before logging into a website or entering sensitive information, you should check that the site is using HTTPS (sometimes this advice takes the form of “look for the green lock icon in the address bar). This is a solid piece of guidance – I would be incredibly wary if my bank login was not happening over an encrypted connection. Although this guidance only instructs users not to trust sites that don’t use HTTPS, users may assume that the inverse is also true: you can trust any site that uses HTTPS.
For the purposes of debunking this myth*, all that HTTPS means is that the connection between your browser and the web server is encrypted, ensuring that others who intercept your traffic can’t decipher or modify the contents. This doesn’t mean that HTTPS isn’t important, rather the opposite; the widespread adoption of HTTPS ensures the integrity and security of site traffic. With such widespread adoption of the technology, any site without this feature is immediately suspect. Recognizing this, cyber criminals have upped their game: as of early 2022, almost three quarters of phishing sites used HTTPS. Because users know that HTTPS is a sign of a site’s security, a phishing site using HTTPS seems significantly more trustworthy and less likely to arouse suspicion.
While we absolutely should not trust sites that do not use HTTPS, we need to remind users that HTTPS doesn’t mean a site is safe, it only means that the connection is secure.
Aside from encrypted communications, the HTTPS protocol also verifies the site’s origin server using the site’s SSL certificate, granted by a third-party certificate authority. However, that goes a bit beyond what we need here.
Reviewing these myths and misconceptions, we see how nuanced cybersecurity is. Our four myths aren’t very far from the truth, and may have even been accurate advice five to ten years ago. However, in a world where an attacker can steal your password by sending you to a website with just one letter changed in its spelling, every detail matters.