FAQ

Is this advice for everyone?🔗

Mostly, yes—but it’s important to think about your personal threat model—what information you have that others might want, who might try to get it, and how they might try. For most people, the basics go a long way. However, high-risk individuals—such as journalists covering national security, human rights defenders, activists, election workers, senior government officials, corporate executives, or those facing intimate partner abuse—require additional, specialized guidance. The Resources page lists some sites with those audiences in mind.

If I just ignore the hacklore and do the basics, am I safe?🔗

Doing the basics as outlined in the open letter will protect you from most of the attacks that actually happen in the wild. Those steps stop the overwhelming majority of compromises seen every day. But they’re the first steps, not the finish line. The links in the Resources section point to credible guides and tools that help you build on this foundation. Our goal is to clear away the bad advice so you can spend your time and energy on the measures that genuinely make a difference.

Why do these myths stick around?🔗

Hacklore sticks around because people often learn their habits from trusted practitioners, friends, or authority figures who first encountered these risks decades ago. Many of those threats were real at the time, but the technology and threat landscapes have changed dramatically. Encryption is now the default, mobile operating systems isolate apps, and browsers block many attacks that once mattered. Yet much of the old advice keeps getting repeated without being recalculated for the modern era. At the same time, the people who know better rarely speak out, so outdated guidance continues to circulate unchallenged. This site exists to help reset that conversation and keep the focus on what actually reduces risk for most people today.

Isn’t public WiFi dangerous?🔗

Not really—not the way it used to be. Almost all websites and apps now use encrypted connections, so even on an open network your data travels securely. The bigger risks come from phishing, stolen passwords, or using outdated software. So be cautious about captive-portal pages and avoid providing information you wouldn’t ordinarily share. And to anticipate some questions, every technology has room for improvement, and the industry continues to push forward in areas like DNS security and additional safeguards that protect the website name you’re visiting, including the use of Encrypted Client Hello in TLS handshakes. Those improvements will be most welcome, but that’s not how the most common attacks succeed.

I thought QR codes were unsafe. Can’t they infect my phone?🔗

Scanning a QR code is no different from clicking a link. A QR code cannot install malware by itself. The main risk is being tricked into entering your information on a fake website or being prompted to install an untrustworthy app. In some targeted cases, attackers may try to trick people into granting permissions or changing settings inside apps, but that is a form of social engineering, not something unique to QR codes. The important thing is to be cautious about the sites you visit and the actions you take after scanning. QR codes are simply a way to open a URL, not an intrinsic danger on their own.

What about those news stories where someone puts a fake QR code over a real one, like in a parking lot?🔗

You should always be cautious with any new website you visit and any information you provide, no matter how you arrived there. If a QR code leads to a page involving financial transactions, take a moment to look for signs of tampering. Whether you reached the site through a QR code, a search result, or a link someone sent you, the same principle applies: examine the page carefully, confirm it’s legitimate, and be careful before entering personal or financial details. QR codes don’t introduce unique risks; they simply point you to a URL. The real protection comes from paying attention to where you’ve ended up, not from avoiding QR codes.

Should I stop using public USB charging stations?🔗

You don’t have to. There are no confirmed cases of “juice jacking” affecting regular users. Phones today block data transfer by default when charging, and they’ll prompt you before allowing data access.

I heard I should change my passwords every 90 days. True?🔗

That’s old advice. Frequent password changes often lead to weaker passwords or reuse. A long, unique, randomly generated password stored in a password manager is far safer—and adding multi-factor authentication (MFA) protects you even if a password leaks.

I thought passwords had to be “complex”, with letters, numbers, and special characters. Why isn’t that your recommendation?🔗

Modern research shows that the most important factor in a strong password is length, not complexity. Even NIST updated its guidance to reflect this, noting that long passwords and passphrases are harder for attackers to crack in offline attacks. A long, unique password that is randomly generated and stored in a password manager gives you far more protection against common attacks than short strings filled with symbols. Unfortunately, many services still require complexity rules that you cannot change, so you will still need to follow those when they appear. But whenever you have the choice, choose length and uniqueness, and let a password manager handle the rest.

Don’t VPNs protect my privacy online?🔗

Not as much as ads claim. VPNs can hide your IP address from the local network, but they’ll still see any unencrypted traffic that your apps or operating system transmit. For most people, the encryption built into your apps already provides strong protection. VPNs make sense only for specific use cases, like bypassing local censorship or connecting securely to a work network. Users of Apple products should consider using iCloud Private Relay service which is built into iPhones, iPads, and Macs, and which costs less than many commercial VPN services.

Do I need to do anything above the basics to protect my privacy?🔗

Privacy in the modern era is complex, and it involves many factors that fall outside the scope of this site. While the security basics help, privacy risks often come from data brokers, online tracking, app permissions, and the policies of the services you use. For practical, trustworthy guidance, we created a Resources page, especially the privacy advice from Consumer Reports Security Planner and the EFF’s Surveillance Self-Defense guides. These offer clear next steps tailored to your needs and risk level.

I just saw a news story about a new security flaw that affects one of the items in the Hacklore list. Doesn’t that invalidate this advice?🔗

No. All software has bugs—some of them security or privacy related—and it’s inevitable that flaws will occasionally be found in systems that handle things like WiFi, QR codes, or USB connections. When that happens, the right question isn’t “Should we tell millions of people to change their behavior?” but rather “Which manufacturer and product were affected, and what are they doing to fix it?”

Security defects are a normal part of the software lifecycle. The responsible reaction is to expect software makers to patch their products quickly and transparently—not to shift the burden onto users. We need to move the responsibility for staying cyber safe upstream, to the companies best positioned to make security improvements at scale. We need to demand software that is secure by design.

What’s the harm in taking a little extra precaution?🔗

When it comes to advice aimed at everyday people, a lot. Time and attention are limited. Time spent working to prevent non-existent or rare attacks is time they aren’t using to take the steps that actually reduce their chances of being compromised. When we promote precautions that don’t meaningfully lower risk, we not only waste people’s time—we crowd out the actions that truly matter, like update hygiene, MFA, strong passphrases, and using a password manager.