There's a lot of myths and misconceptions when it
comes to computers and cybersecurity especially. So in this video, I'm gonna go over 10 of the most
common ones that I've seen. And you may know a lot of these, or you may not know any, but by the
end of this, you will be a genius level expert. So starting off with myth number one, which
is you should change your password frequently. Now this is basically old, outdated advice. At one
time, it was thought that changing your password frequently was a good idea, because the idea is
that if your password gets stolen, then it would only be valid for a short amount of time. But
it ended up being that basically it makes people choose weaker passwords because if they have
to update them constantly, instead of choosing one really good longer password that's harder to
remember but once you do it's strong, they choose like some weak password, or just incrementally
change it by like adding a number to it every time they have to change it. And these days,
even the National Institute for Standards and Technology in their Digital Guidelines document,
they say "do not require that memorized secrets be changed arbitrarily, like periodically, unless there is a user request or evidence
of authenticator compromise." So basically there's not too much benefit to it, and it pretty
much just annoys users. Next up myth number two, the padlock in the URL bar of a website means
that the website is safe and trustworthy. The other day I was watching a video, it wasn't
computer related, but the presenter off the cuff made a comment mentioning the lock in the
URL bar and implied that it meant that the website was reliable. But that is not what
the lock signifies. Instead, it just means that the connection between you and the
website is secure, but not the website itself. So in other words, it means that you can know
for sure that you are actually connecting to the website that you think you are, and no one in the
middle is messing with that connection. However, that doesn't mean that the website itself might
not be dangerous. For example, you could be visiting a site, www.StealYourMoney.Scam. And yeah
you could be connected to that scam site securely, but it's still a scam site. These days
basically every website is gonna have the lock. It's free and easy to get the
secure connection certificate. And now browsers usually are gonna warn you if you
connect to a site that hasn't been updated and doesn't have a secure connection.
So basically if a website has a lock, doesn't really mean anything special, it
should by default. If it doesn't have a lock, then you shouldn't really trust it. You definitely shouldn't enter any information
into it or log into anything, or probably even download files from it, because
it could have been interfered with theoretically. Although if it's just a website that you're purely
reading something off of, it's not a huge deal. Moving on, myth number three. Using incognito mode
makes your web browsing activity untraceable. No, that's not what it does at all. Incognito mode
or private mode, whatever you wanna call it, the only thing it does is prevents your
browser history from being stored on your local computer. So if you're doing Google searches
or browsing on Facebook or Twitter or whatever, then even though the browser history is not
being stored on your computer, those websites are still obviously logging that activity and
they're associating it with your IP address. They can still keep track of everything you're
doing. And obviously if you're in incognito mode, if you're logged in especially, well, they're gonna easily be able to associate what
you're doing with who you are, because you literally told them by logging in. Even if your
IP address is hidden with a VPN or something. So always keep in mind what they can see
on a website, who might be tracking it, because they kind of track everything these days, just be aware of it. Now speaking of hiding
your IP address, before we continue, I wanna thank today's sponsor Private Internet Access, a
VPN service that I myself have been a customer to since 2014, you can even see my billing history
here. Private Internet Access can protect your internet connection from prying eyes, even
your own internet service provider. You simply install the VPN software and choose
a server across many different countries. And the same goes with the mobile apps,
you simply toggle it on and you're good. So yes, it's available on all desktop
and mobile platforms, and also as a browser extension if you want. There's also
additional features like a VPN kill switch to prevent you from accidentally revealing
your connection. And what's called PIA mace, which can block trackers, malware and more. And
importantly, they don't keep logs of any kind. And as a special deal for you all, if you go to
PrivateInternetAccess.com/TJ you can get 83% off a three year plan, which ends up being about $2.08 a
month. I'll also put that link in the description. So definitely a good deal, check it out. And with
all that being said, let's continue. All right onto misconception number four, which is that
the reason you want to have a good password is to prevent it from being "guessed" by
some hacker. In reality, no. No hacker is sitting at your login prompt and trying to
guess what password you're using. I mean, theoretically, they could be
doing it, but 99% of the time, the reason you need to have a good password
is because it is encrypted by most websites, if they do good security In their database. But
if that database gets stolen, then the better your password, the harder it is for them to
decrypt it. And mark my words, you have had your credentials stolen even if you don't realize
it. If you go to the website, "Haveibeenpwned.com" you can put in your email address and
they'll notify you and let you know what breaches you have been a part of. And
definitely if you use passwords on those sites, then you better change them or have changed them
long ago. Now to put it in more specific terms, basically any website when
you type in your password, it "encrypts it" you can think of it
as, technically it's called hashing. They do some other stuff like salting, not gonna get into the specifics, but basically
it's stored, not as your actual password, but a specially encoded version of it.
And if that password database gets stolen, what the hacker's gonna try and do is go through
the entire database of these encoded passwords and brute force them using computers to calculate what
passwords must be associated with those encodings. And here's the key, the stronger and longer
your password is the harder it is for those hackers to do that for your particular
password. So they'll be brute forcing all these calculations against all the passwords,
and the people who use the weaker passwords, theirs are gonna be found. Whereas if
you use a strong password, your password may never be detected and found by those hackers. So yes, if you find out a website has
had a data breach, you obviously need to change that password, but it's also
possible that if you add a strong one, then you don't have to worry about it being
taken advantage of in the meantime before you find out. And that's the main reason you
absolutely need to use unique passwords across all sites, because hackers are gonna
be automatically, just automated testing these email password combinations, the
ones that they stole, on all sorts of other more important websites: banks, whatever.
And even if your password is very strong, you don't know if the website you're
signing up to has any good security. They might not even be encrypting
the passwords or hashing them at all. They might just be storing them as is. So
if you are using a very strong password, but you use it everywhere. Well, if the website
isn't securing them, well if you get stolen, then it's just as bad as if you had a weak
password. Now moving on to myth number five, which is related to the last one,
and that is a strong password must be very complex with all of numbers, letters,
and symbols in it. Actually though it turns out that the length of the password is way more
important than the actual complexity of it. For example, a 15 character password
that is simply just lowercase letters, no numbers or anything special in it, is ten times as secure as an 11 character
password that has all character types in it. And you may have actually even seen a web
comic XKCD. They did a comic strip about this a while ago that illustrated this.
How if you have a very long password, it's easier for you to remember, but way harder
for a computer to crack or brute force. Now all that being said, there is some nuance to
this, and I personally would still recommend you do use complex passwords with
special characters and all that. Because it undeniably does make your password
more secure no matter how long it is. It's just that if you can also make it longer,
that's the ideal situation, and here's why. If you happen to unknowingly use a combination
of words that a lot of other people do too, just because we're human and we're kind of
predictable, then attackers are probably not even try to bother checking every single password
letter by letter. They're instead just gonna try word by word, and common word combinations,
which will be a lot faster if you are using that combination of words. For example, hackers
may see from a previous data breach that a lot of people like to use phrases including their
favorite sports teams, like "Lakers are awesome." So those hackers, when trying to decrypted a
database might first try "[list of sports teams] are awesome". And just try all those different
combinations instead of every single possible letter. And then for those people who happen
to use a phrase, including their sports team, well those passwords are gonna be cracked in
nanoseconds. So basically if you personally make a really good long password, then yeah you
might be safe. But websites, if they're trying to implement a password policy, they know most
people are gonna create passwords that suck. So they kind of have to introduce these
complexity requirements just to save people from themselves. And I have always recommended
that you use some kind of password manager, like LastPass or 1Password, which can
automatically generate random and long passwords, as well as keeping track of them
for you so you don't have to remember them. It'll auto fill them, definitely a better
situation than just trying to remember them and use similar passwords on everything, that's never a good idea. Just try a password
manager. All right now for number six and seven, these are basically two polar opposites. The
first is that if you're good with computers, you don't need antivirus. And the second one is,
if you have antivirus, you don't have anything to worry about. The truth of course is somewhere
in the middle. Even if you are really good with computers, yeah you are going to avoid 99.9% of
viruses, whatever, by not going to onto shady websites, being skeptical of downloads. But
you never know, something might slip through. There might be a zero day vulnerability
that infects you without you even doing anything to interact with it, stuff like that.
So you do need to use some kind of antivirus, even if it's just the one built into Windows. As
long as you keep that up to date, if you're good with computers, that's probably enough. On the
flip side, relying completely on your antivirus, even if it's like a top rated third
party one that you have to pay for, that is also a recipe for disaster. Because
there's new viruses and new ways that hackers are coming up with every day to try and
circumvent these things. So if you happen to be unlucky enough to be one of the first
people that gets exploited by a new technique, well then your antivirus might not be
able to detect it until it's too late. And then you're kind of screwed. So for the best
overall antivirus, remember this ABC. Always Be Crazy suspicious. I just came up with that, but
it's true. If you're skeptical of any kind of link that gets sent to you over email,
especially documents that are attached, then you're better off than people
who think, "oh my antivirus is fine, I'll just click all this stuff, it'll
protect me." Same goes with other files you download from the web. If you're not a
hundred percent trustworthy of the source, you gotta be skeptical of that sort of stuff.
Maybe upload it to a website like Virus Total, which actually runs it through
like 50 different antiviruses. And then you can kind of tell, all right if
there's no results or maybe like one result from some antivirus you've never heard of
before, it might be a false positive. But if you upload it to that site and you see like
a whole bunch of hits, well you can probably know not to trust it. So just being suspicious
in the first place will get you a long way. All right onto number eight, this one's also
related to viruses. And that myth is if you have a virus, you'll know it. Now back in the
day, most virus would be pretty obvious. You'd get like pop-ups, ads all over the place, you'd
be like, "what is going on with this?" And you could probably know to maybe scan for virus
or figure out what's going on. These days, malware is usually gonna be a lot more sneaky. Yes
there is adware out there that makes pop-ups and just injects ads into websites
that you know shouldn't be there, but sometimes they're really sneaky
about it. They might replace the ads they're actually on a website with the
ones that the virus is trying to promote, so it might not even seem outta place.
And some malware does everything it can to not be seen at all, you know it's not even
gonna show up as a program. You might barely be able to see it if it's running in the
background if you check task manager yourself, stuff like that. And for keyloggers
and root kits, which pretty much can control your whole computer, that's something
basically you're not gonna even know about unless your antivirus detects it. And of course
when it comes to ransomware, you will eventually find out that you got infected, but not until
it's too late. So that kind of goes back to the previous one, you don't have to be paranoid
all the time, but you do have to be diligent. And maybe for the peace of mind, run a
full virus scan every once in a while. All right coming near the end, we
got a couple more. And number nine is that a strong password is all you need to
secure your accounts. But these days you also really should have two-factor authentication
enabled on any account you care about at all. So basically that means if you're logging
in, you would also get a text message with a code on it. Or better
than SMS is a authenticator app like Authy or Microsoft Authenticator.
There is Google Authenticator, but you can't really back that up, so I do recommend
Authy or Microsoft Authenticator instead. But actually the most secure and easiest method of two
factor authentication is a physical security key. And these are actually really easy to use. You do
have to buy it, but if a website does support it, which not I'll do, then you register it
with the website. Anytime you wanna log in, you just tap the security key. And the
way it works is it connects encryptingly with the website, and it's done in
such a way that it cannot be phished. Even if a hacker steals your login credentials
by tricking you, and they somehow trick you to press the button on the key. Well, they are
not gonna have that secure connection to the actual website and they won't be
able to use that key at all. In fact, there was two security companies, ironically,
Twilio and CloudFlare recently that got attacked by phishing attackers. Like it was
a sophisticated, well coordinated attack. And Twilio, a couple of their employees got
phished and even though they used those code generators, I believe still, the attacker
was able to just phish the code from them. Whereas CloudFlare, on the other hand,
they also had a few employees phished. However they use hardware
tokens, hardware security keys, and those are not phishable. So even though
three employees at Cloudflare did get phished, the attackers were not able to access
anything, because they could not get past that hardware security key, so I definitely
recommend those. And the main company that makes these are called Yubico and they
make some that are like cheap ones, I think they're like 20 bucks, and some more
sophisticated ones. I have both types of these and I'll put links into description if you want to
check those out and learn more about them. Again, not every website is gonna support them. Most
big websites like Google, Microsoft, Facebook, they all do. All right and finally number 10,
the myth is if you delete a file, even if you empty the recycle bin, or even if you do a quick
format of the hard drive, that it's irretrievable. And that's not true. If you delete a file,
even if you delete it from the recycle bin, what that does is simply marks the
spot on the hard drive as being free, and can be overwritten by anything that wants to. But if no program comes along and overwrites
that data, then it's still gonna be there and you can use special programs to retrieve it
back if nothing has overwritten it. And as for quick formatting a hard drive, I made a
whole video talking about this. But basically quick formatting a hard drive, even though it
makes the whole drive look completely empty, it basically just rewrites the beginning part of
the drive to say again, that everything is free, even though that data is technically still
there. Now if you don't do a quick format, it will basically write zeros
to everything. So that is way more secure, obviously. But I'd probably
recommend just watching that other video for more details. So hopefully you found this
video helpful. If you did give it a thumbs up, and if you wanna subscribe also be sure to
click the bell and enable all notifications. These days even if you subscribe, youTube
still might not show you the stuff, so consider doing that as well. And if I missed
some myths that you think I should have included, let me know down the comments, we
can talk about that down there. Also thanks again to Private Internet Access
for sponsoring this video. Again, you could check the link down the description,
get that special deal for the three year plan. If you do wanna keep watching, I'll put a
link to that video I mentioned talking about quick formatting and what exactly
formatting a hard drive does. I'll put that right there you
can click on. So thanks so much for watching guys and I'll see in the next one.
