Auto-generated description: A woman stands with a phone and QR code shield surrounded by whimsical, colorful monsters on a vibrant orange background.

I mentioned a few months ago the hysteresis effect which means there’s always a lag — and sometimes a big lag — between the state of things and our response to it.

Advice around privacy and security is a good example of this. People are often way out date with what constitutes good practice. This open letter from “current and former Chief Information Security Officers (CISOs), security leaders, and practitioners” points to advice to avoid public wifi, never charge from public USB ports, and to regularly ‘clear cookies’ as being pointless.

This constitutes what they call “hacklore” (a blend of “hacking” and “folklore”): modern urban legends about digital safety. It “spreads quickly and confidently… as if it were hard-earned wisdom” but “like most folklore, it isn’t grounded in reality, no matter how plausible it sounds.”

Instead of this hacklore they suggest the following, and have a newsletter which you might want to subscribe to if this piques your interest:

Keep critical devices and applications updated: Focus your attention on the devices and applications you use to access essential services such as email, financial accounts, cloud storage, and identity-related apps. Enable automatic updates wherever possible so these core tools receive the latest security fixes. And when a device or app is no longer supported with security updates, it’s worth considering an upgrade.

Enable multi-factor authentication (“MFA”, sometimes called 2FA): Prioritize protecting sensitive accounts with real value to malicious actors such as email, file storage, social media, and financial systems. When possible, consider “passkeys”, a newer sign-in technology built into everyday devices that replaces passwords with encryption that resists phishing scams — so even if attackers steal a password, they can’t log in. Use SMS one-time codes as a last resort if other methods are not available.

Use strong passphrases (not just passwords): Passphrases for your important accounts should be “strong.” A “strong” password or passphrase is long (16+ characters), unique (never reused under any circumstances), and randomly generated (which humans are notoriously bad at doing). Uniqueness is critical: using the same password in more than one place dramatically increases your risk, because a breach at one site can compromise others instantly. A passphrase, such as a short sentence of 4–5 words (spaces are fine), is an easy way to get sufficient length. Of course, doing this for many accounts is difficult, which leads us to…

Use a password manager: A password manager solves this by generating strong passwords, storing them in an encrypted vault, and filling them in for you when you need them. A password manager will only enter your passwords on legitimate sites, giving you extra protection against phishing. Password managers can also store passkeys alongside passwords. For the password manager, use a strong passphrase since it protects all the others, and enable MFA.

Source: Stop Hacklore! Open Letterwww.hacklore.org/letter

Image: CC BY Robert Lord