In this post we aim to shed some light on some of the most common myths and misunderstandings concerning cyber security, including your passwords. We've seen many different view points and opinions, some often stated as fact, but some of these ideas lead to you being less secure than if you carried on as you were before. Sometimes these comes from your friends and family, other times from "experts" who have been misled by the sheer volume of information available to us in the digital age.
Some of these myths could be seen as harmless and may even give incidental protection, but others can give you a false sense of security and actively weaken your privacy and security. I have even seen some of these become company policy because they are so widespread.
I've heard some of these myths so many times, and was even led to believe them until I became more interested in cyber security a few years ago. This post wont eradicate the problem, but I hope by reading this information you may have a little more understanding about online security.
Myth: Don't write it down
I can understand this one, but writing down a password doesn't mean, write it down and keep it on display for all to see. There is a big difference! We've all seen people write a password on a post-it note and then tape it to their laptop/monitor and I do actively encourage against this, but there is little harm in writing certain ones down in a notebook which is kept hidden away, perhaps in a safe.
There are some passwords and recovery codes that vendors and providers ask you to make sure you have written down or printed out for safe keeping.
The certain ones I mentioned above are ones that can't be stored in password management software or that may be needed to recover a backup to a device that is lost or damaged. These passwords may be infrequently used and therefore easily forgotten, but please remember to make these passwords complex (more on that later).
One thing to never do when writing down a password is to store this in a file on your computer and name it something like "passwords.txt". Some password protected files do have an advantage here, but keeping them out of site and not on your desktop is best if you do this.
Myth: Changing password every 30 days
In the past, technology couldn't handle as much as it can today and restrictions on the length and characters were in place. This led to a lot of passwords being short and insecure. This is no longer in issues with todays technological advances and a modern operating system is capable of handling a much wider range of characters and length. At work or school you may be subject to changing your password frequently. In most cases this is nothing more than a relic of a bygone age and these days it is much less secure to keep changing your passwords. However, there are still some banking institutions that have a maximum length or character restrictions on a password. This could be down to poor/not updated software or through fear of certain cyber attacks and the developers have decided this is the best (usually easiest) way of helping to prevent such attacks.
Long passwords including special characters are far more secure than a single word. Changing this long, complex password every 30 days does nothing to improve its security. If anything, the opposite happens. If you have to keep changing these passwords eventually you are going to get lazy and just do variations of it, such as adding a number to the end or making a different letter a capital. You will also be less likely to remember the password and have to reset it more often. Some good advice is to pick a phrase you will remember (can be random if you like), add a special character, capital letter and number or 2 and you'll have a pretty secure password.
The above comic explains this quite well!
Myth: 2FA isnt secure
I used to find Two Factor Authentication/Multi Factor Authentication a faff, I mean, I still do, but I also see its uses and it has saved my accounts from being accessed. I have seen being stating that 2FA/MFA is not secure, but what they are usually referring to is the 2FA system that uses SMS or email messaging to communicate the code. These systems can be subject to vulnerabilities and exploited to read the code, particularly in the case of SMS as the message is not encrypted (and neither are some emails). What these people are not talking about is apps like "Google Authenticator" which are now becoming more popular. Apps like this use a one-time hash-based message authenticate code to generate a human readable code, usually 6 digits long. This is much more secure than SMS or email based codes but phishing attempts can still lead to you unknowingly entering your code into a website setup by the scammers.
Any 2FA/MFA is better than no 2FA/MFA and users still need to be aware of where they are entering any codes and to make sure their devices do not have any malware installed, but to say all 2FA/MFA is not secure is not true.
Myth: I don't need antivirus
Some people believe they don't need an antivirus/antimalware product installed on their device for numerous reasons, some of which are:
- I have a firewall
- I dont visit porn sites
- I'm careful when i click on any link
- I don't use Microsoft Windows
- I have a popup blocker
None of these are good reasons to not have some good antimalware software installed. They all help reduce the risk of being infected, but nothing can rule it out 100%. Having a good antimalware product reduces these risks even further. There is one thing to be clear on though. No antimalware product can protect you 100%. Different software will protect you in different ways and offer different features. We all have our preferences, but if you are running Windows 10 or 11, using the built in Microsoft Defender is now a viable option. Microsoft have done a lot of work on making this software something that we can trust. A properly configured system with Microsoft Defender can be a well protected device.
There is malware for other operating systems, like MacOS, Android and Linux, but they are not as common, partly because Microsoft Windows has the dominating share of the market.
Some people don't like using antimalware products because they keep bothering them to confirm if they would like to run certain software. If you are one of these people, my suggestion is to look at that software thats causing that prompt and why it is triggering the antimalware software?
Many people believe in "security through obscurity". They simply do not believe themselves to be worthy of being hacked/targeted by these criminals. Let me just say, for the majority of malware, including ransomware, they do not care who you are, they just want to infect as many devices as possible and get your money.
Having seen some of these bad practices in action, both in a domestic and commerical setting, and also some of the damage that they can do, even if just one more person stops following these bad ideas the cyber world will be a bit safer.
If you would like to know more about cyber security and how you/your business can strengthen your currently security, please contact us for advice or a consultation.