You’ve seen the memes and the warnings on social media — answering questions about your life history is ruining your password safety. It’s giving the bad guys the information they need to figure out your passwords and get the answers to your security questions.

But is that true? Are people lurking on social media waiting for you to reveal your favorite school teacher and your prom date? Someone with a grudge against you may use that information to do some damage, but in general, cyber criminals aren’t micro-targeting individuals. Rather, they are more likely to use a social engineering attack, like a malicious video or phishing email based on your social media algorithms, to gain access to your network and data.

No one should share sensitive information about themselves (which can be used for many other nefarious reasons). But this being a direct route to a password is one of the many myths that swirl around password safety.

Without a doubt, password security is vital for an organization. Access credentials, including passwords, are the gateway into your network. Yet, the password continues to be a security hot spot. Employees are usually the weak link in credential failures. But, that could be due to a lack of awareness of how threat actors actually harvest password information. Once these myths about passwords are disputed, organizations can improve on their security awareness training surrounding password hygiene.

Password Safety Myth No 1: Never Write Down Your Password

Fact: For decades, the most common advice surrounding password security was to never write it down. While you don’t want to tape your password to your computer screen and then share a photo of it on social media (like one congressman did), writing down passwords and storing them in a safe place is fine. Threat actors use more sophisticated methods such as keylogging or brute force password attacks. The important thing to remember is most cyber criminals want access to as many systems as easily as possible. One password at a time at a local level doesn’t matter to them.

Myth No 2: Using Text Messaging as Multifactor Authentication (MFA) Security is Best

Fact: Using text messaging for MFA is certainly easiest for most people, but it isn’t the best way to ensure password safety. A new attack vector is your mobile phone number, which threat actors steal through SIM swapping.

An attacker looking to do a SIM swap will contact your phone provider and pretend to be you. Your number is then linked to the SIM card used by the bad guy. They will then have access to any MFA that comes to your phone as a text, as well as any of the personally identifiable information on your phone. Other MFA options such as biometrics or authenticators are a better option.

Myth No. 3: I Don’t Need Password Safety Tips; My Passwords are Unique and Secure

Fact: With billions of passwords, it is unlikely that any password is truly unique. Most users create ‘unique’ passwords by changing letter cases or adding a symbol, and they do this after alerted the ‘old’ password was breached. Threat actors use techniques like password spraying to try millions of common passwords to gain access into a network. And yes, while your passwords may indeed be unique and hard to crack, it only takes one bad password to gain access to the entire system.

The more users know about how threat actors acquire passwords should go a long way in improving password safety. Debunking myths is the first step.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today