I am passionate about security, and these are 10 outdated security practices people still swear by

As someone who has reported on cybersecurity for over a decade, I've witnessed the evolution of security practices and technologies.

Unfortunately, I also still encounter many individuals and organizations clinging to outdated measures which only provide a false sense of security.

Here are 10 outdated security practices people still rely on, despite their ineffectiveness in today's threat landscape.

Password rotation every 30-90 days

Mandating frequent password changes without a justified reason can have unintended negative consequences.

When users are pressed to alter their passwords regularly, they often resort to creating slight modifications of previous passwords or implementing easily guessable patterns (like adding a number at the end or changing a letter to a symbol).

Studies have demonstrated that this behavior actually results in weaker password security overall, as attackers can more easily exploit these predictable changes.

A more effective strategy for enhancing security is to encourage the use of longer, more complex passphrases.

Passphrases are typically easier for users to remember while still being difficult for attackers to guess.

Utilizing a password manager can also significantly improve password practices, as these tools can generate, store, and fill in complex passwords automatically, reducing reliance on memory and eliminating the need for repeated, insecure changes.

Moreover, rather than enforcing arbitrary password change policies, organizations should only require a password update when there is clear evidence of a security breach or compromise. This targeted approach strengthens overall security and fosters a more user-friendly experience, encouraging users to take password security more seriously without the burden of frequent changes.

Complex password requirements without context

At the same time, the demand for uppercase letters, numbers, and special characters often leads to predictable passwords, such as "Password1!", which can be easily cracked by modern tools.

Additionally, these strict requirements may prompt people to write down their passwords.

A more effective approach is to emphasize password length, recommend at least 12 to 16 characters, and encourage the use of password managers. These tools can generate and securely store truly random passwords.

Security questions as account recovery

Questions like "What's your mother's maiden name?" or "What was your first pet's name?" are commonly used as security questions for account verification.

However, these questions often rely on information that can be easily accessed through social media profiles or data breaches, making them a poor choice for safeguarding your accounts.

Using publicly available personal details undermines the effectiveness of these security measures, as malicious actors can potentially obtain this information with little effort.

As a result, these traditional security questions can create a weak point of entry for unauthorized access, putting your personal data at risk.

A far more robust approach to securing your accounts is to utilize app-based multi-factor authentication (MFA) or physical security keys.

MFA adds an extra layer of protection by requiring your password and a secondary verification method, which can include a code sent to your mobile device or an authentication app. This significantly reduces the likelihood of unauthorized access, as even if someone manages to obtain your password, they would still need the second factor to log in.

Moreover, physical security keys, such as YubiKeys, offer an even greater level of security. These small devices require you to physically possess the key to access your accounts, making it incredibly difficult for anyone else to gain entry, even if they know your password.

SMS-based two-factor authentication

While any form of two-factor authentication is better than none, SMS-based verification is susceptible to risks such as SIM swapping, interception, and social engineering attacks.

Despite these vulnerabilities, many services still promote it as their main security feature.

A more effective approach is to use authenticator apps, like Microsoft Authenticator or Google Authenticator, or to opt for physical security keys whenever possible.

Antivirus as complete protection

Traditional signature-based antivirus solutions often fail to provide robust protection against contemporary cyber threats.

These threats include zero-day exploits - vulnerabilities that are not yet known to software developers - fileless malware that operates in memory rather than relying on traditional files, and sophisticated phishing attacks that can bypass basic security measures.

Many users hold the misconception that simply having antivirus software installed on their devices guarantees comprehensive security against these evolving risks.

Unfortunately, this belief can lead to a false sense of security, leaving systems vulnerable to breaches.

To achieve a more effective security posture, it's crucial to adopt a layered approach. This includes implementing Endpoint Detection and Response (EDR) solutions, which offer real-time threat detection and remediation capabilities beyond what traditional antivirus can provide.

EDR solutions monitor endpoint activities, providing continuous visibility and protection against sophisticated attacks.

In addition to deploying EDR, maintaining regular system updates is essential. Keeping operating systems and applications up-to-date ensures that any known vulnerabilities are patched promptly, reducing the risk of exploitation.

Furthermore, providing security awareness training for users is vital. Educating employees about the latest phishing tactics, safe browsing habits, and the importance of reporting suspicious activities can significantly enhance an organization's overall security.

By combining these strategies, you can build a more resilient defense against the increasingly complex landscape of cyber threats.

Focusing solely on perimeter security

The traditional "castle and moat" approach to network security assumes that threats originate from outside the network.

However, insider threats, compromised credentials, and supply chain attacks can easily bypass these perimeter defenses.

A more effective strategy is to adopt zero-trust security principles, which operate on the premise that nothing should be automatically trusted, even within the network perimeter.

Obscurity as security

Many people still think that concealing information offers security, such as hiding admin panels with obscure URLs or depending on proprietary encryption algorithms.

However, relying on security through obscurity offers minimal protection against determined attackers.

A more effective approach is to implement transparent, well-tested security measures and to assume that attackers will find all parts of your system.

Overreliance on knowledge-based authentication

Authentication based solely on something you know (like passwords or PINs) is increasingly vulnerable as massive data breaches make personal information widely available to attackers.

The better approach is to implement multi-factor authentication, which combines something you know with something you have (like a security key) or something you are (biometrics).

Manual security patching

Delaying security updates or selectively applying patches makes systems vulnerable to known exploits.

Many organizations still depend on manual patching, which often involves lengthy testing cycles.

A more effective approach is to implement automated patch management, use appropriate testing environments, and prioritize critical security updates.

Compliance checklists over security outcomes

Meeting compliance requirements does not necessarily mean your organization is secure. Many organizations concentrate on merely fulfilling regulatory requirements instead of genuinely enhancing their security posture.

A more effective approach is to view compliance as a baseline rather than the ultimate goal. Instead, design security programs that address real threats specific to your organization, and regularly assess their effectiveness.