An Open Letter

To the public, employers, journalists, and policymakers:

We are a group of current and former Chief Information Security Officers (CISOs), security leaders, and practitioners who have seen how compromises unfold in the real world across industry, academia, and government. We write to correct a set of persistent myths about digital risk to everyday people and small businesses (as opposed to high-risk individuals) that continue to circulate widely online and in public advice columns.

The outdated advice

Specifically, we aim to retire the following outdated pieces of advice:

  1. Avoid public WiFi: Large-scale compromises via public WiFi are exceedingly rare today. Modern products use encryption technologies to protect your traffic even on open networks, and operating systems and browsers now warn users about untrusted connections. Personal VPN services offer little additional security or privacy benefit for most people and don’t stop the most common attacks. 

  2. Never scan QR codes: There is no evidence of widespread crime originating from QR-code scanning itself. The true risk is social engineering scams, which is mitigated by existing browser and OS protections, and by being cautious about the information you give any website. 

  3. Never charge devices from public USB ports: There are no verified cases of “juice jacking” in the wild affecting everyday users. Modern devices prompt before enabling data transfer, default to restricted charging modes, and authenticate connected accessories.

  4. Turn off Bluetooth and NFC: Wireless exploits in the wild are extraordinarily rare and typically require specialized hardware, physical proximity, and unpatched devices. Modern phones and laptops isolate these components and require user consent for pairing.

  5. Regularly “clear cookies”: Clearing (or deleting) cookies doesn’t meaningfully improve security or stop modern tracking, which now includes identifiers and fingerprinting other than cookies.

  6. Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts. 

This kind of advice is well-intentioned but misleading. It consumes the limited time people have to protect themselves and diverts attention from actions that truly reduce the likelihood and impact of real compromises.

Sound security guidance should be accurate, proportional, and actionable. With that standard in mind, we recommend replacing the above advice with clear, fact-based guidance that helps people and organizations manage real risk while enabling modern, connected use of technology.

Recommendations for the public

While the news is often filled with exotic attacks against high-value individuals and organizations, the truth is that for most people the basics are still the basics and should be the foundation of any security advice to the everyday person or small business.

  1. Keep critical devices and applications updated: Focus your attention on the devices and applications you use to access essential services such as email, financial accounts, cloud storage, and identity-related apps. Enable automatic updates wherever possible so these core tools receive the latest security fixes. And when a device or app is no longer supported with security updates, it’s worth considering an upgrade.

  2. Enable multi-factor authentication (“MFA”, sometimes called 2FA): Prioritize protecting sensitive accounts with real value to malicious actors such as email, file storage, social media, and financial systems. When possible, consider “passkeys”, a newer sign-in technology built into everyday devices that replaces passwords with encryption that resists phishing scams — so even if attackers steal a password, they can’t log in. Use SMS one-time codes as a last resort if other methods are not available. 

  3. Use strong passphrases (not just passwords): Passphrases for your important accounts should be “strong.” A “strong” password or passphrase is long (16+ characters), unique (never reused under any circumstances), and randomly generated (which humans are notoriously bad at doing). Uniqueness is critical: using the same password in more than one place dramatically increases your risk, because a breach at one site can compromise others instantly. A passphrase, such as a short sentence of 4–5 words (spaces are fine), is an easy way to get sufficient length. Of course, doing this for many accounts is difficult, which leads us to…

  4. Use a password manager: A password manager solves this by generating strong passwords, storing them in an encrypted vault, and filling them in for you when you need them. A password manager will only enter your passwords on legitimate sites, giving you extra protection against phishing. Password managers can also store passkeys alongside passwords. For the password manager, use a strong passphrase since it protects all the others, and enable MFA.

Recommendations for organizations

Organizations should build systems that don’t fail catastrophically when people make mistakes—especially when they are victimized by malicious actors. Create clear, simple ways for employees to report and escalate suspicious activity, and acknowledge those reports quickly so people feel supported, not blamed. If an employee’s mistake creates significant harm to the organization, the design of the system was brittle—and not resilient—by design. For system administrators, require phishing-resistant MFA and commit to a plan to eliminate reliance on passwords across the organization.

Recommendations for software manufacturers

Finally, to be clear, no software or system is perfectly secure. Every day, new weaknesses are discovered in modern devices, operating systems, and applications. But how we handle those reports is what determines the real outcome. The responsibility for preventing harm should not rest with the public or enterprises; it lies with software manufacturers to fix their defective code—not with over a billion users to modify their behavior.

We call on software manufacturers to take responsibility for building software that is secure by design and secure by default—engineered to be safe before it ever reaches users—and to publish clear roadmaps showing how they will achieve that goal. They should ensure all network traffic is protected with modern encryption protocols and incentivize independent security researchers through formal, responsive bounty programs that include explicit safe-harbor protections. Manufacturers must also commit to publishing CVE records—the public catalog of known software vulnerabilities—that are complete, accurate, and timely for all issues that could put users at risk, including those discovered internally.

Conclusion

We urge communicators and decision-makers to stop promoting “hacklore”—catchy but inaccurate advice—and instead share guidance that meaningfully reduces harm. We stand ready to help public agencies, employers, and media organizations reframe cybersecurity advice so it is practical, proportionate, and based on current realities.

Sincerely,

Ben Adida, VotingWorks

Heather Adkins

JJ Agha, CISO, FanDuel

Ian Amit, former CSO Cimpress, Rapid7. Founder & CEO Gomboc.ai

Matt Aromatorio, Head of Security, Hebbia

Scott Bachand, CISO, RO

Andrew Becherer, CISO, Sublime Security

Geoff Belknap, Deputy CISO, Microsoft

Betsy Bevilacqua, CISO

David Bradbury, CSO, Okta

Bill Burns, former CISO and Trust Officer Informatica, former Netflix

Elie Bursztein

Jack Cable, CEO & Co-founder, Corridor

Michael Calderin, CISO

Aimee Cardwell, former CISO UnitedHealthGroup

Sean Cassidy, CISO, Asana

Jason Chan, retired - former CISO Netflix and VMware

Michael Coates, former CISO Twitter

Bil Corry, CISO Sardine.ai

Neil Daswani, CISO-In-Residence at Firebolt Ventures, former CISO of multiple, multi-billion-dollar public companies

Jacob DePriest, CISO/CIO 1Password

Michael Tran Duff, CISDPO, Harvard University

Jen Easterly, former Director of CISA

Andy Ellis, former CSO, Akamai

Gary Ellison, former VP of Trust, Roku

Melanie Ensign, CEO, Discernible

Josh Feinblum, former CSO DigitalOcean, Rapid7

Trey Ford, Chief Strategy & Trust Officer, Bugcrowd

Eva Galperin

Yael Grauer, Program Manager, Cybersecurity Research at Consumer Reports

Eric Grosse, former security lead for Google

Esteban Gutierrez, CISO

Damian Hasse, CISO, Moveworks

Gary Hayslip, CISO in Residence, Halcyon.ai

Tyler Healy, CISO, DigitalOcean

Marcus Hutchins, Principal Threat Researcher, Expel

Mike Johnson, CISO

Chuck Kesler, CISO, Pendo

Aaron Kiemele, CISO, Perforce

Lea Kissner, CISO, VP Engineering, LinkedIn

VP, Android and Made-by-Google Security & Privacy, Google

Sasha Koff, Managing Director of Cyber Readiness Institute

Tyson Kopczynski, former 2xCISO

Sara Lazarus, Founder and CISO, Faded Jeans Technology LLC

Katie Ledoux, CISO, Attentive

Nate Lee, Founder, TrustMind, 2x former CISO

Eugene Liderman, Sr. Director of Android Security & Privacy Product

Bob Lord, former CISO Yahoo, DNC

Ciaran Martin, University of Oxford & former head of the UK National Cyber Security Centre

Keith McCartney, SVP Security & IT, DNAnexus

elle mckenna, security leader

Zack Moody, CISO, KYOCERA AVX

James Nettesheim, CISO, Block

T.C. Niedzialkowski, Head of Security and IT Opendoor

Rupa Parameswaran

Helen Patton, Cybersecurity Executive Advisor

Bryan Payne

Lisa Plaggemier, Exec Dir, National Cybersecurity Alliance

Hannah Poteat, Asst. General Counsel, Privacy & Cybersecurity Law

Alex Rice, Founder & CTO, HackerOne

Felix Ritscher, CISO, VP of Security & Infrastructure, Supplemental Health Care

Chris Roosenraad, CSO DNC

Craig Rosen, former CISO Cisco AppDynamics and FireEye/Mandiant

Guillaume Ross, former head of security @ JupiterOne, Fleet

Marci Rozen, Senior Legal Director, ZwillGen PLLC

Larkin Ryder, former CSO at Slack, former Head of Compliance at Anthropic

Runa Sandvik, Founder, Granitt

Bala Sathiamurthy, CISO

Cory Scott, former CISO LinkedIn, Confluent, Google Devices & Services

Andrew Shikiar, Executive Director & CEO FIDO Alliance

Alex Smolen, Former Director of Security at LaunchDarkly

Matthew Southworth, CSO, Priceline.com

Alex Stamos, CSO, Corridor, former CSO of Facebook, Yahoo and SentinelOne

Andy Steingruebl, CSO, Pinterest

Joe Sullivan, CEO of Ukraine Friends and Joe Sullivan Security LLC

Parisa Tabriz, VP/GM Google Chrome

Per Thorsheim, previously 2xCISO, founder of PasswordsCon

Steve Tran, CISO, Iyuno

Shawn Valle, CEO Cybersecurity Growth, former CSO/CISO Rapid7, Tricentis

Jonathan Werrett, Head of Security, Semgrep

Andrew Whalley, Chrome Security

Tarah Wheeler, Chief Security Officer TPO Group

Dave Wong, Director, Mandiant

Josh Yavor, former CISO Tessian, Cisco Secure

Sounil Yu, former Chief Security Scientist Bank of America, Chief AI Officer Knostic

Sean Zadig, CISO, Yahoo