For years, the cybersecurity industry has been telling a ghost story. We’ve warned you about the hacker in the hoodie at the local coffee shop. We’ve told you to fear the airport USB port. We’ve insisted that if you don't change your password every 90 days, you’re basically inviting a breach.
There’s just one problem: most of that advice is Hacklore.
Coined by industry veterans like Bob Lord and formalized through the Hacklore.org initiative, "Hacklore" refers to cybersecurity advice that is outdated, oversimplified, or technically inaccurate. It’s the folklore of our industry—stories we keep telling long after the technology has moved on.
At Huntress, we’ve realized that repeating Hacklore isn't just a harmless habit. It’s a distraction that leaves businesses vulnerable to the threats that actually matter.
What is Hacklore (and why is it dangerous?)
According to the folks leading the charge at Hacklore.org, this "lore" consists of security myths that persist despite a total lack of evidence or a shift in the underlying technology.
Why should you care? Because security resources—time, money, and mental energy are finite. When we focus on "Security Theater" (actions that make us feel safe but don't actually reduce risk), we create security fatigue. If an employee is forced to follow ten useless rules, they are far more likely to ignore the eleventh rule, the one that actually stops a ransomware attack.
By chasing ghosts like "juice jacking," we ignore the real-world monsters like session hijacking and business email compromise (BEC).
Hacklore vs. reality: A quick guide for MSPs
If you’re an MSP or an IT lead, it’s time to audit your "Cybersecurity 101" guides. If you’re still giving the advice on the left, it’s time to switch to the reality on the right.
The Hacklore (The Myth) | The Reality (The Truth) |
"Change your password every 90 days." | Periodic resets can lead to weaker passwords. Use long, unique passphrases and only change them if there’s evidence of a breach. |
"Look for the Padlock icon to stay safe." | The padlock only means the connection is encrypted. Phishers use SSL certificates too. The padlock is not a "seal of trust." |
"Don't use public Wi-Fi for work." | Public Wi-Fi is generally safe due to modern encryption. Focus on Identity Protection (MFA, EDR, and ITDR) and secure encrypted communications instead. |
"Hover over links to see the URL." | Attackers are masters of URL obfuscation. Hovering alone isn’t a reliable defense. Rely on DNS filtering and advanced email security. |
The path forward: Drop the lore, defend the core
Cybersecurity is hard enough without fighting imaginary enemies. The leaders of the Hacklore initiative are calling for a "cleanup" of the ecosystem, and we’re standing with them.
Our challenge to you:
Audit your content: Read your own blog posts and client onboarding materials. Are you still talking about "juice jacking" or "Wi-Fi sniffers"?
Simplify your "asks": Give your employees and clients three things that actually work (like Phishing-Resistant MFA) rather than ten things that might help in a movie.
Visit Hacklore.org: Use their FAQ as a litmus test for your security awareness training.
Let's stop scaring people with 2010-era myths and start defending them with 2026-era reality. The attackers have moved on. It’s time we did, too.
Protect What Matters
