There’s a lot of security advice floating around the web. A lot. While much of it is solid and will help you improve your security posture, you’ll occasionally encounter advice that is not so good. For example, it’s not uncommon to see articles presenting outdated recommendations or theoretical security risks that have been blown out of proportion. And, in some instances, the information is just plain wrong.
Here are eight examples of bad security advice that you can safely ignore.
1. Change your password regularly
In the past, the best practice was to change your passwords every few months. The reasoning was simple: in the event that an attacker stumbled across one of your old passwords, it would no longer be in use and your account would be safe.
However, this advice is now considered outdated and has been for years. Here’s why:
- Shortcuts: Users who frequently change their passwords tend to take shortcuts – by recycling passwords or incorporating personal information into them, for example – weakening account security.
- Practicality: While frequent password resets might have been feasible when you only had a handful of accounts to worry about, these days you probably have hundreds of accounts of online services to manage, each with its own unique set of login credentials. Changing all of your passwords periodically would be a logistical nightmare.
Rather than changing your passwords periodically, you should use a good password manager – preferably one that will notify you if one of your passwords is involved in a breach – to stay on top of your login credentials, and protect your accounts with multi-factor authentication.
2. Don’t scan QR codes
As the use of QR codes has surged in popularity, some security experts – including the FBI – have raised concerns that threat actors could use them to redirect people to phishing sites and/or malware downloads.
While the risks are theoretically possible, the reality is that real-world cases are few and far between and you are exponentially more likely to run into malware or a phishing attack in your email or SMS inbox. The advice isn’t wrong, per se, it’s just extremely far down the security priority list for most people.
The risk of scanning a QR code is near zero. With that being said, if you’re going to be entering financial information, it’s better to be safe than sorry, regardless of whether you’re trying to access the page via a URL or QR code. Just take a second to manually type the URL into your browser and you’re good to go.
3. Just use a Mac!
Overzealous Apple users sometimes like to claim that Macs are somehow immune to malware. As in, if you really wanted to up your cybersecurity game, you’d just make the switch to macOS!
The reality is that no operating system is perfect when it comes to security. While Apple’s “walled garden” ecosystem might provide a higher level of software quality control than the Wild West Windows environment, it’s still possible to get malware on a Mac, including trojans, droppers, ransomware and more.
The main reason fewer malware threats exist for Mac is simply that Windows is a bigger target. Windows commands around 76 percent market share, while just 16 percent of desktop and laptop users are on macOS. For cybercriminals, there’s less to gain by going after the smaller fish, so they tend to target the system with the larger user footprint.
Yes, Macs still get malware. No, it doesn’t make sense to transition to an entirely new operating system that may not be much more secure.
4. Change your language settings to avoid ransomware
Some cybersecurity experts have suggested that changing your keyboard layout and language settings to Russian could be an easy way to protect your system from ransomware.
How? Well, ransomware gangs typically don’t face any repercussions from law enforcement agencies inside the Commonwealth of Independent States, provided they don’t target organizations in those regions. And in order to avoid inadvertently targeting a CIS-based organization, many ransomware families check the language and keyboard settings of the target system before executing the payload. If a CIS language – such as Russian – is detected, the ransomware terminates without encrypting a single file.
However, there are some major holes in this piece of security advice. Firstly, it’s not enough to simply install a CIS language keyboard. Most ransomware strains check the system’s active language, not just the installed languages, which means – unless you’re willing to use a Russian keyboard layout – the ransomware will still execute. Secondly, and more importantly, the language checking process is just one small step in a threat actor’s target verification process. Ransomware operators use various techniques to learn as much as they can about their targets and can easily identify whether an organization is legitimately located in the CIS, regardless of its keyboard and language settings.
Changing your language setting or using a Cyrillic keyboard layout is highly unlikely to thwart any ransomware attacks. You are far better off using that time to implement proven ransomware mitigation techniques.
5. Don’t use public charging stations
In recent years, various cybersecurity experts – including the FCC – have issued warnings about juice jacking, a type of attack whereby a threat actor loads malware into the USB port of a public charging station. Because the USB standard conveys both electricity and data, there’s a risk that plugging in your device to a compromised USB port top charge it could lead to data theft or malware infection.
But you don’t need to be overly concerned about juice jacking. While it is theoretically possible that a particularly determined cybercriminal could hack a public charging station, the chances of coming across this type of attack and it actually working are extraordinarily slim. In fact, we aren’t aware of any real-world juice jacking incidents to date.
There have been a few proof-of-concept examples of juice jacking, but in-the-wild attacks are extremely uncommon, or even non-existent. For threat actors, they’re difficult to implement and not scalable. You almost certainly don’t need to worry about this one; there are more important things on your security to-do list.
6. Use a VPN to improve your security and privacy
Consumer VPNs are useful if you want to shield your activity from your ISP or access geo-restricted content.
In terms of security, however, the benefits of a VPN are fairly limited. VPNs do encrypt your network traffic, which was somewhat useful back in the days when most of the Internet was still using unencrypted HTTP. But now that the vast majority of the web is using HTTPS – see point #8 below – a VPN doesn’t really offer too much in the way of security. Or privacy. You’re basically substituting the VPN provider for your ISP so, unless you trust the former more than the latter, you’re not really improving your situation.
Unless you’re trying to access geo-restricted content or torrenting, you probably don’t need a VPN. The reality is that using one would do little to improve either your security or your privacy.
7. Don’t click on suspicious links
The problem with this piece of advice is that people don’t click on links that look suspicious to them – after all, nobody is actively trying to get infected with malware or fall for a phishing attack. Rather, people click on links that don’t look suspicious to them.
Instead, we should be talking about clues that may indicate that a link is malicious. For example, if you hover over a URL and discover that the destination address doesn’t match the link text, there’s a good chance that you’re dealing with a malicious link. Similarly, if the content containing the link is poorly written or visually off-brand, or if you’re asked for information that should never be disclosed – like a password or PIN number – you should probably avoid clicking on the URL.
Being cautious with your clicks is important but, before you can start avoiding malicious links, you’ll need to know what a malicious link actually looks like!
8. Don’t use public Wi-Fi
In the early days of the Internet, most websites used unencrypted HTTP. That meant other people on your network could easily snoop on your network traffic, view the web pages you were accessing, monitor your messages and intercept any other data you might have sent.
However, this all began to change with the gradual widespread deployment of HTTPS, a protocol that secures the communication between your browser and the web server. With HTTPS, traffic is encrypted, which means that even if your data is intercepted it will not be usable. These days, about 95% of web page loads use HTTPS and most browsers will warn you if you visit a traditional HTTP site.
Just about every online service that matters uses HTTPS and the real-world risk of using public Wi-Fi is very low. And no, you don’t need to use a VPN – not even on public Wi-Fi.
Emsisoft Endpoint Protection: Award-Winning Security Made SimpleExperience effortless next-gen technology. Start Free Trial
Not all security advice is created equal. While not all of the recommendations on this list aren’t outright wrong, they’re just not a priority for the vast majority of the population. For most people, focusing on the proven basics – things like minimizing attack surfaces, practicing good patch management, turning on multi-factor authentication and maintaining a robust backup strategy – will do a lot more for your security posture than any of the recommendations mentioned in this article.