In cybersecurity, there is a phenomenon we rarely talk about, but that almost everyone has encountered. It’s called hacklore.
The term comes from a combination of hacking and folklore. It describes security advice that has been repeated so many times that it is perceived as truth, even though it does not necessarily reflect what the threat landscape actually looks like today.
The Hacklore.org project has collected many such examples and is trying to clear up old security myths. Their point is not that the advice is always wrong, but that much of it is exaggerated, outdated or simply misunderstood.
Many of these tips originated 10–20 years ago. The technology was different. The networks were different. The attacks were different. Yet the advice lives on in security courses, internal IT guidelines, media articles, onboarding presentations and LinkedIn posts with "warnings".
The result is that we often spend a lot of time on scenarios that almost never occur, while the most common attacks receive less attention.
Most people have heard this advice:
Turn off Bluetooth when you’re not using it
Bluetooth vulnerabilities have existed, but modern implementations are significantly more secure than before. For most users, this is now a relatively low risk.
These are recommendations that still appear in many security programs. The problem is not that the attacks are impossible. The problem is that they are often not very realistic in practice. They are often theoretical attacks that work if "all the planets are aligned and it’s meatballs for dinner, etc." It takes an awful lot to exploit them. Modern technology has changed a lot since these attacks were more realistic:
HTTPS (encrypted traffic) is used almost everywhere
apps run in a sandbox
browsers have better security mechanisms
Thus, many of the classic scenarios are far less relevant than they once were.
In practice, most attacks are much simpler. Attackers rarely use complicated technical methods if they can achieve the same result in an easier way. On assignments for customers, we rarely see advanced attacks on public networks. What we do see again and again is phishing, password reuse, and lack of MFA.
Typical entry points we see again and again are:
phishing
stolen or reused passwords
missing MFA
vulnerable software
For an attacker, it is almost always easier to:
trick someone into logging in to a fake site
than to carry out advanced attacks against random users on an airport network.
Another problem with hacklore is that it creates security noise.
Users are often given long lists of rules:
• do not use this network
• do not charge your phone here
• do not click there
• do not install this
When the list gets long enough, it becomes difficult to know what actually matters. The result is often that users ignore the advice altogether.
If the goal is to reduce risk, there are some measures that have a much greater effect than most others.
For most users, these are among the most important:
use long passwords and store them in a password manager.
use strong and unique passwords or passkeys. Length is more important than complexity. "Jegerutroliggladikattenemine" is a much better password than "kj%#|€12"
enable MFA wherever possible
keep software and apps up to date.
These are measures that directly address the most common attack methods. It may not be as dramatic as stories about hackers on airport Wi-Fi, but this is where most attacks actually happen.
The point isn’t that old security advice is always wrong. The point is that cybersecurity is constantly changing. Advice that was good many years ago isn’t necessarily just as relevant today.
Perhaps the most important question we should ask ourselves more often is:
Which security measures actually reduce risk the most right now?
Maybe we should spend a little less time on hacklore and a bit more time on the attacks that actually happen.