VPNs help protect your online privacy by encrypting your internet connection and shielding your data from prying eyes. Stay informed about their legality and benefits to ensure secure browsing.
For years, the cybersecurity industry has been telling a ghost story. We’ve warned you about the hacker in the hoodie at the local coffee shop. We’ve told you to fear the airport USB port. We’ve insisted that if you don't change your password every 90 days, you’re basically inviting a breach.
There’s just one problem: most of that advice is Hacklore.
Coined by industry veterans like Bob Lord and formalized through the Hacklore.org initiative, "Hacklore" refers to cybersecurity advice that is outdated, oversimplified, or technically inaccurate. It’s the folklore of our industry—stories we keep telling long after the technology has moved on.
At Huntress, we’ve realized that repeating Hacklore isn't just a harmless habit. It’s a distraction that leaves businesses vulnerable to the threats that actually matter.
What is Hacklore (and why is it dangerous?)
According to the folks leading the charge at Hacklore.org, this "lore" consists of security myths that persist despite a total lack of evidence or a shift in the underlying technology.
Why should you care? Because security resources—time, money, and mental energy are finite. When we focus on "Security Theater" (actions that make us feel safe but don't actually reduce risk), we create security fatigue. If an employee is forced to follow ten useless rules, they are far more likely to ignore the eleventh rule, the one that actually stops a ransomware attack.
By chasing ghosts like "juice jacking," we ignore the real-world monsters like session hijacking and business email compromise (BEC).
Hacklore vs. reality: A quick guide for MSPs
If you’re an MSP or an IT lead, it’s time to audit your "Cybersecurity 101" guides. If you’re still giving the advice on the left, it’s time to switch to the reality on the right.
The Hacklore (The Myth) | The Reality (The Truth) |
"Change your password every 90 days." | Periodic resets can lead to weaker passwords. Use long, unique passphrases and only change them if there’s evidence of a breach. |
"Look for the Padlock icon to stay safe." | The padlock only means the connection is encrypted. Phishers use SSL certificates too. The padlock is not a "seal of trust." |
"Don't use public Wi-Fi for work." | Public Wi-Fi is generally safe due to modern encryption. Focus on Identity Protection (MFA, EDR, and ITDR) and secure encrypted communications instead. |
"Hover over links to see the URL." | Attackers are masters of URL obfuscation. Hovering alone isn’t a reliable defense. Rely on DNS filtering and advanced email security. |
The path forward: Drop the lore, defend the core
Cybersecurity is hard enough without fighting imaginary enemies. The leaders of the Hacklore initiative are calling for a "cleanup" of the ecosystem, and we’re standing with them.
Our challenge to you:
Audit your content: Read your own blog posts and client onboarding materials. Are you still talking about "juice jacking" or "Wi-Fi sniffers"?
Simplify your "asks": Give your employees and clients three things that actually work (like Phishing-Resistant MFA) rather than ten things that might help in a movie.
Visit Hacklore.org: Use their FAQ as a litmus test for your security awareness training.
Let's stop scaring people with 2010-era myths and start defending them with 2026-era reality. The attackers have moved on. It’s time we did, too.
Additional Resources
- Read more about What Is a VPN and Is It Secure?
- Read more about What Are Cloud Compliance Solutions? A Complete GuideLearn about cloud compliance solutions, key frameworks like GDPR and HIPAA, and how to maintain regulatory compliance in the cloud with automated tools.
- Read more about Proactive Cybersecurity Solutions for SMBs and MSPsProtect your business from PoC-based threats with Huntress. Discover our people-powered cybersecurity solutions that hunt, analyze, and respond before exploits strike.
- Read more about What Is a Browser Extension? How They Work & Security RisksA browser extension is a small software add-on that customizes your web experience—blocking ads, managing passwords, and more. Learn how they work, how they interact with websites, and how to stay safe while using them.
- Read more about What Are Business Compliance Regulations? | Huntress Cybersecurity 101Learn what business compliance regulations are and why they matter in cybersecurity. We break down HIPAA, GDPR, PCI DSS, and more in simple terms.
- Read more about What is IOA in Cybersecurity? Detect Attacks EarlyLearn how Indicators of Attack (IOA) improve cybersecurity by detecting threats in real-time. Discover the difference between IOA vs IOC and more!
- Read more about What Is a CVE? Common Vulnerabilities & Exposures ExplainedLearn about CVE (Common Vulnerabilities and Exposures), a universal system for cataloging cybersecurity vulnerabilities, and why it’s essential to cybersecurity professionals.
- Read more about What is a User Agent?Discover what a user agent is and how it facilitates web interactions. Learn about User-Agent strings and their role in web optimization.
- Read more about What is Cross-Site Request Forgery (CSRF)?Learn about Cross-Site Request Forgery (CSRF), a common cybersecurity threat, how it works, and how to protect against it.
Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
