Some cybersecurity advice has been around for ages: Frequently change passwords, avoid public Wi-Fi. But most experts say a lot of that knowledge is rooted in myth.
On Monday, an initiative launched to counter those stubborn misconceptions, on the notion that their persistence is actually harmful to what keeps people secure.
Bob Lord, a former top cyber official at Yahoo, the Democratic National Committee and adviser at the Cybersecurity and Infrastructure Security Agency, unveiled hacklore.org — a portmanteau of “hacking and folklore” — to combat those cybersecurity superstitions.
Myths have always been around, handed around over time as “hard-earned” wisdom, as the site notes. “We used to wear amulets to keep ourselves safe,” Lord told CyberScoop.
But security practitioners and people who use tech don’t have unlimited bandwidth, he said.
“Our goal is to help everyday people and small organizations focus on the simple, fact-based steps that truly protect their data and devices—keeping software up to date, using strong passwords and passkeys, enabling multi-factor authentication, and recognizing social engineering,” the site explains. “By replacing fear with facts, we can make digital safety advice more accurate, actionable, and effective for everyone.”
As part of the initiative, Lord got more than 80 cybersecurity professionals to sign on to an open letter calling for a shift toward practical cybersecurity guidance that works, with cyber executives from major companies and organizations like Okta and Microsoft alongside experts in cybersecurity and academia as well as Lord’s former boss at CISA, Jen Easterly.
Out, they say: advice about never scanning QR codes, never charging devices from public USB ports and regularly deleting cookies. In: using multifactor authentication and a password manager, and keeping apps and devices updated.
The idea is to consolidate this “hacklore” in one place where anyone can read it or share it with others. The letter is also aimed at software providers, putting in a good word for “secure by design” and “secure by default,” two initiatives aimed at improving software security that Lord worked on at CISA. (Lord is now with the Institute for Security and Technology, but hacklore.org is a personal project.)
Lord isn’t sure where the project might go next, beyond the big launch. But he’s hoping it can make a dent in a phenomenon that “won’t be easy,” as he acknowledges. “Ask me again in a year,” he said.