5 outdated security practices you shouldn’t use anymore

Security practices heroImage: IDG / Chris Hoffman

When I was younger, I was told “never use your real name on the internet.” But the world has changed, and I don’t follow that advice anymore. Likewise, there’s a lot of well-meaning online security advice that has outlasted its usefulness.

There’s a core of truth to each one of the security practices I criticize below, but you shouldn’t blindly follow these old tips. At best, you’ll be wasting your time. At worst, you’ll be putting yourself more at risk. Read on to learn more about the five outdated security practices you shouldn’t use anymore.

Looking to protect your online privacy? Be sure to check out PCWorld’s roundup of the best VPN services today.

Constantly changing your passwords

“You should change your passwords regularly” is one of those ancient bits of security advice that’s still bouncing around. Many organizations still forcibly expire their employees’ passwords and I’ve used online account systems from financial organizations that do the same. After the password is forcibly expired, you’re asked to set a new password.

Regularly changing passwords is time-consuming. I use a password manager to remember my passwords, something I recommend to everyone, as it is really the only way to use a strong, unique password on each website unless you have a spacious photographic memory. But, even if you wouldn’t have to remember each new password you set, you’d lose a lot of time if you were changing them all on a schedule.

IDG / Chris Hoffman

Worse yet, constantly changing passwords forces people to set weak passwords. People often use the same password with a one or two at the end, for example. It’s not their fault, these people are trying to get on with their day and cope with the confusing password system. That’s why organizations who were at the forefront of required frequent password changes have been backing down.

So why do some people think you should regularly change your passwords? The theory is that this will prevent someone who intercepted your password at some point from continuing to use it – if someone has access to your account, they’ll at least lose that access when you change your password. But there are better ways to do this.

Two-factor authentication, which you should also set up for your important accounts, ensures that people can’t get into the account with just your password, even if they do know the password!

If a website gets breached and passwords leak, it’s smart to change your account password on that website. Many websites will let you know when something like this happens, too, asking for a new password from you. And if you were re-using that password on multiple websites, it would be a good idea to change that password on all the websites you used it on.

But the better solution is to set unique passwords for each website you use, store them in a password manager, and skip the game of Whac-A-Mole.

Running manual antivirus scans

“You should run antivirus scans on your computer” is another of these well-meaning pieces of security advice. Yes, it’s true that antivirus scans are useful, but that doesn’t mean you have to spend time doing it. Computers are designed to automate things and they can automate this.

I wince a little when I see people opening their antivirus to run regular manual scans. You can do that if you like, but we all only have so many hours in a day, and that’s a largely unnecessary action.

Your antivirus software is always running in the background and it’s always scanning, unless you’ve turned that feature off, which you really shouldn’t. Even if you haven’t installed an antivirus, the built-in Microsoft Defender antivirus in Windows Security on Windows 10 and Windows 11 is running regular scans. Your antivirus is running regular scans of the files you download and open to check if they appear dangerous before they can even run. It’s also likely running scheduled deeper scans, just like the ones you’d run if you opened up your antivirus app and clicked the Scan button.

IDG / Chris Hoffman

You can run antivirus scans if you want. There’s no real downside beyond wasted time — but I hate to see people waste time. We all only get so much time each day! It’s a daily task you can skip.

If you have specific concerns that your PC might be infected by malware, it may be smart to launch your antivirus program and run a deep scan. It may even be smart to run deep scans with multiple programs to see if you find anything – checking for malware is often a first step in troubleshooting many weird PC stability and performance problems. But save yourself the time and skip the regular manual scans.

check out pcworld’s top pick

Norton 360 Deluxe

Norton 360 DeluxeRead our reviewPrice When Reviewed:$49.99 for the first yearBest Prices Today:$19.99 at PCWorld Software Store | $49.99 at Norton

Trusting too much in antivirus software

Antivirus software isn’t perfect. A good antivirus program is an essential part of the security puzzle, but malware is becoming increasingly sophisticated. It’s a big business now, organized crime makes lost of money on malware. Decades ago, malicious software was often more of a prank.

With that in mind, antivirus software should be your last line of defense, not your first.

Antivirus software works through two methods: Definitions that spot known-dangerous files people have seen before, and heuristics that try to guess if a new file may do something bad. Neither is perfect: New malware may arrive through zero-day attacks and sophisticated evasion techniques may help it dodge those imperfect heuristics.

IDG / Chris Hoffman

You should try to avoid malicious software on the web in any way you can. Quite frankly, I recommend acting like you don’t have antivirus software at all! One big thing to avoid is pirated software and video games. But you should exercise caution before downloading and running any obscure software, especially if Windows SmartScreen warns you few people have seen it before or if your antivirus software has concerns.

And there’s another, bigger problem: The risk isn’t just malicious software. Scam emails and other phishing attacks, for example, are a big risk online. These aren’t malware, your antivirus won’t catch them, and you could be bit by them in any device, even your phone.

Backing up to an external drive now and then

We’ve all heard the advice: “regularly back up your PC.” This is still great advice! It’s all just a matter of how you do it.

If you back up your important on a schedule to a second internal drive inside your PC, you have protection in case one of your drives fails, but that’s it. If your system is compromised by ransomware or other dangerous malware, or if something fries your PC’s hardware, you’ll lose your originals and your backups all at once.

Local backups to an external drive are great. Windows File History makes it easy without any extra software, and there are other, even more powerful backup tools you can get. But if the only copies of your files are on your computer and an external drive that’s sometimes connected to that computer, you could run into trouble, ransomware could compromise both your computer and its backup drive, for example.

IDG / Chris Hoffman

That’s why I’m a big fan of online backup software, too. They happen automatically on a schedule, and there’d be no way for ransomware or other malware to lock or wipe all your backups. Online backups, sometimes called cloud backups, also ensure your files are stored in multiple physical locations. You’re protected even if something happens to all the hardware in your home.

If you’re only going the local backup route to keep your files secure from ransomware, device failure, PC theft, and all kinds of other disasters, I recommend at least having multiple external backup drives and storing one somewhere outside your home. You don’t want all the copies of all your important files in one physical location.

Avoiding public Wi-Fi

“Watch out for public Wi-Fi – it’s dangerous.” Now here’s a piece of advice we can get really into the weeds on. Thanks to the proliferation of cellular networks and unlimited data plans, it’s easier than ever to avoid public Wi-Fi networks and just tether to your phone for an internet signal, if you like. But do you really need to do that for your security?

Well no, not really. First of all, public Wi-Fi networks aren’t as vulnerable to snooping as you might think. Back in the days before HTTPS security was widespread on the web, other people on the public Wi-Fi network could often see what you were typing and doing on websites, if they had the right software. That’s what the Firesheep add-on for Firefox was all about. It launched in 2010.

That wouldn’t work anymore because, as long as you’re using HTTPS on a website, the connection is secure and encrypted – people can’t see the messages you’re sending on Facebook or the products you’re searching on Amazon anymore.

IDG / Chris Hoffman

Other risks are still possible. If the public Wi-Fi hotspot was compromised, for example, it could try to redirect you to malicious websites or phishing websites that imitate the real thing when you connect to websites like your bank or email. (Security techniques like HTTP Strict Transport Security (HSTS) offer a way for websites to stop this from happening, but not every website implements them). An attack like this one would rely on the public Wi-Fi hotspot itself being compromised, the local Starbucks or airport Wi-Fi probably isn’t going to be vulnerable to that.

Still, that highlights why you should ideally only connect to trusted Wi-Fi hotspots. A hotspot at a local business is one thing, but a strange public Wi-Fi hotspot you can’t identify? Probably best to stay away.

But there’s one more reason public Wi-Fi is okay: A VPN can help protect you from these threats. When you connect to a VPN, all your network traffic is securely tunneled through the VPN connection to the VPN’s server. Even if someone operating the Wi-Fi hotspot were trying to snoop on you, all they’d know is that you connected to the VPN’s server, they wouldn’t be able to see which websites you were connected to.

If you connected to old websites that used HTTP with no encryption, no one else on the hotspot would be able to see what you were doing. And even if the Wi-Fi hotspot itself were compromised and tried to redirect you to malware when you access your bank’s website, that wouldn’t happen, your VPN would protect you. If you’re worried about the risks of public Wi-Fi, a VPN can help.

But the VPN itself can see all the websites you access. You’re putting a lot of trust in the VPN, so it’s important to choose a good, trustworthy VPN. Here are the best VPNs based on PCWorld’s reviews.

Chris Hoffman is the author of Windows Intelligence, a free email newsletter that brings the latest Windows PC news, trips, and tricks to inboxes each week. He’s also the former editor-in-chief of How-To Geek and a veteran tech journalist whose work has appeared in The New York Times, PCMag, Reader’s Digest, and other publications.

Recent stories by Chris Hoffman:

More than antivirus: What to expect from your security software7 antivirus myths that are dead wrongHow do I remove malware from my PC?

Leave a Response