IT expert Sean Gallagher recently published a list of the most worthless security practices that everyone should avoid. Below are five of the most prolific cybersecurity myths.

MYTH 1: Change Your Password Every 30 Days

The low security of short passwords has led to new guidelines requiring passwords to be changed regularly. However, policies that restrict the characters that can be used as passwords tend to weaken complexity and security. Long passwords with characters, spaces, and punctuation marks are much more memorable for the user than arbitrary numbers that can easily be forgotten.

Users are instead advised to choose a relatively long and complex password for home or work computers and only change it if it is stolen or shared with someone. Changing passwords every 30 days or as required only makes it more difficult to remember passwords and can result in users developing poor password creation workarounds that lead to less secure passwords.

MYTH 2: Don’t write it down.

Passwords should only not be written down in public places such as the desk or cubicle. Moreover, many two-factor authentication services encourage printing and saving recovery codes if users ever lose access to a second-factor app or device. You can also choose to save them in your device’s password manager.

Such high-quality passwords should be complex and memorable, but when used very rarely, they tend to be more easily forgotten, so it is actually a good idea to write them down in a secure, private place.

However, never store passwords in a text file or any other unencrypted format that does not have password protection.

MYTH 3: 2FA is scary.

Two-factor authentication (“2FA”) is an excellent way to protect login credentials after a threat actor manages to steal a user’s password. Any 2FA is better than no 2FA, as 2FA thwarts nearly 90% of all hacking attempts.

But just having 2FA is not a guarantee that someone won’t succeed in getting what they want. If you receive an e-mail link that will navigate you to a website that asks you to enter your login credentials, and you then receive a 2FA warning for your login, be vigilant, as this does not lead to the legitimacy and trustworthiness of the link. Take a close look at this link and do not just enter the code or click the approve button. If in doubt, stop the process altogether.

MYTH 4: Your VPN protects you.

Virtual private networks are no longer very useful; they merely hide the Domain Name Service requests a user makes and the resulting IP addresses that are visited by the Internet Service Provider. This significantly prevents a user’s ISP from collecting data about their Internet habits but instead gives this privilege to the VPN provider.

In such cases, VPNs do not prevent VPN providers from using panic advertising to get you to download VPNs for your computer or phone.

MYTH 5: You don’t need antivirus.

An updated Microsoft Defender installed on a properly configured Windows 10 or Windows 11 system is very well suited for blocking known threats. However, the number of misconfigured, semi-disabled, un-updated systems is, unfortunately, the majority of computers that are connected to the Internet. Therefore, antivirus is extremely important.

If any software tells you to disable the antivirus software for a folder so that it can run properly, the best advice is to just not use this software.