Cyber Security Mara

Let me start by asking you about your password.

How did you create it?

Do you use it anywhere else?

If it's generated by a password manager, is that password manager the one built into your browser?

How long is it?

When you added complexity to it, did you just add a 1 to the end? Your birth year? Maybe an underscore between words?

All of these things should be factoring into your risk calculation.

You can see my password advice and how easy it is to crack a password here.

So why the hell does this matter to the odds?

Let's say you use the browser-native password manager to create that password - what else could they potentially have access to, if they have that password? Your Google account? Do you have a banking app on your phone? Do you store your banking password in your browser-native password manager? What else is in there?

Risk isn't just inherent to the one thing that someone may have access to, it's lateral.

If someone gains access to one thing, what else can they gain access to?

Crowdstrike has a good summary of lateral movement here.

Effectively, any attacker, once they have access, may try to access other things - the higher the value, the higher the odds.

Do you value your banking information? Of course you do! So how can someone get from accessing your Gmail to your banking? Is the app installed on your Android phone? Is the password the same? Is the password stored in your Google password manager? All things you have to consider for risk.

I know what you're thinking: that's all well and good, but what are the actual odds someone's going to target me?

You specifically? Some random unknown person on the internet? A direct target on you yourself? Probably not that high, to be honest.

But that's not where the conversation ends.

Because you don't have to be the specific target to get hacked, you just have to be the easiest.

Let's look at an example: call centre scammers.

They have no idea who's calling them.

They didn't specifically put that fake virus message on your computer, they just put it out in the wild and let it go nuts. Whoever calls, calls.

It's the same for your online accounts and information.

A bad actor can obtain your login information from any given data breach on the dark web. (You can check haveibeenpwned to see if your email's been in a breach - if it has, change your password right away anywhere you use that password/email combination, and check your account activity/logins)

Which means that in a majority of cases, they already have your login information.

And not because you necessarily were the target, but because you were easy.

Also, you have to consider the version of something you're using.

I know we all hate updating our software.

Upgrading from Windows 10 to 11.

Installing that next update that gives the app a new look you just don't like, so you avoid it to keep the old look.

But hidden behind those updates are security patches, things that make your system more secure against attacks.

And if you're avoiding those updates and your computer is on the internet, someone can easily find you.

There's a whole-ass tool online out there that people can use to look for out of date systems.

Again, they're not targeting you, they're targeting the weakness that you're broadcasting to the world.

All it takes is one quick search and a random click on a red dot that happens to be your computer.

Update your computer, get a different operating system if you have to.

If you're not using your system for anything too heavy or Steam games, try something like Linux Mint or ZorinOS, which are designed to have a similar feel to more classic Windows experiences.

Get a password manager.

PC Mag has a list of free password managers for 2026 here, if you can't afford a paid version.

When considering risk, considering the odds that you specifically are the target, stop right there. And instead consider whether you are an easy target instead.

1.If you receive an email asking you to click a link or perform an action, check the email address.

What does this mean?

Let's take the post I saw as an example. It claimed that there's someone reaching out on Discord with a Discord support email address they were asking you to add.

Things to look for:

What is the email domain? Is it @discord.com? Or is it some other random domain like gmail or hotmail? Discord support won't be using an unofficial @discord.com domain. If you're being given a contact for customer support or some other official channel with a company, google the email address. Go to the company's website and contact that department directly through the website. if it's an email that's not on the website, reach out to their customer service/support team via email or web form. Tell them what the issue the person in the email has claimed is. Basically, get help through official and confirmed channels.

If you're receiving an email, check what address shows up if you hit reply The from and reply emails may not match. Big red flag. If you know how to get ahold of the email header, there are tools you can use to analyze the email header and translate it into plain English to show you exactly who's emailing you - such as mxtoolbox.

2. Consider the source.

Have you received this information from someone you trust or is it a new account you've never heard of claiming to be someone you know?

If you receive any message from someone who claims to be someone you know, verify it.

If they say they're a Tumblr mutual you don't know IRL and they're reaching out on Discord or Instagram or whatever, go back to Tumblr and DM that person to confirm if it's them.

If you know them in real life, call them. Text them.

Honestly, though, this is just general life good advice. Consider the source.

Verify.

3. Don't tell people your real information.

Let's stray off the path for a second here.

The number of people I see posting their real names and birthdates on Tumblr is insane.

Do a few of my mutuals know my real name? Sure.

Did I post that on Tumblr? Fuck no, lol.

Let's say you reblog a post with your birthdate.

Then another with your childhood pet.

Maybe the city you were born in.

Your grandmother's maiden name.

What do all of these examples sound like?

Security questions.

If I'm a bad person, I now have everything I need to maybe access your online banking? Find your home address?

You would be surprised just how little information someone needs to gain access to your private information.

I recommend this video to see just how little information someone needs:

As Rachel says, assume everything you put online is public.

She got his address and birthdate from a couple of Tweets.

And from that, she was able to steal $2000 worth of hotel points and change his seat on his flight.

4. Do not click on unexpected links.

There are ways to verify a link before you click it. Antivirus programs have browser extensions to check the safety of your links. You can put the link in VirusTotal. You can even put downloads/attachments into VirusTotal to check.

If you have any technical know-how, get yourself a password manager. Keeper, 1Password, LastPass, Bitwarden, Dashlane, etc. Invest in one if you can afford it.

Bitwarden has a free password manager option.

The only password you'll have to remember is your password manager password.

So why wouldn't you want to use a browser-based password manager? They're more easily compromised. If someone gets into your Google account, they now have access to your banking login if it's saved in your password manager. And it's not their primary focus.

A proper password manager is a better option.

So, how do you make a password that's secure AND easy to remember?

Use random words strung together.

And interrupt those words in random places.

There's the classic XKCD comic with 'CorrectHorseBatteryStaple'. Which is a solid base for the idea. But you can still be vulnerable to dictionary attacks, which are attempts to get your password by firing words at your login from a dictionary list.

So to make it more secure, you'd take:

CorrectHorseBatteryStaple

And make it:

Co_rrectHo*rseBatter*yStapl*e

And if you need to have numbers in your password:

Co_rrectHo*rseBatter*yStapl*e63

Pick a random number.

And aim for 16 characters or more. Which sounds like a lot under the old password rules, but with the above? Easier to remember, harder to crack.

Don't do any of these with your passwords:

Common substitutions. If you substitute the @ symbol for an A, don't. What, you think if someone's trying to get your password they've never heard of doing that? It doesn't work. And it doesn't matter. You're better off interrupting the words with random punctuation like in the above examples.

The number 1 at the end if a number is required. This'll be the first thing someone's going to try. It's useless. Don't do it.

Your birthday. Just...don't.

Your dog's name.

Your child's name.

Anything you post on your social media that someone could guess easily.

Social engineering is insanely easy to do.

Do NOT put your password into a tester online to check how secure your password is.

To get an idea, this is how secure your password is in 2023:

As for MFA:

Use it. This isn't even an option in my opinion. Use 2FA. I don't care if you think it's annoying. Use it. It will help keep you secure.

Google Authenticator. Easy set up on Android 4.4 and higher. Also works on iPhone.

2FAS. Read the guide for enabling 2FA.

Duo. Keep in mind that you NEED to save your security codes or you will not be able to recover your access. Make sure to read the linked guide for third party accounts before you use Duo.

Yubikeys. Not cheap, but a solid authentication option and incredibly secure. If you can afford it, I highly recommend getting one. You can attach them to your keychain!

Biometrics on your phone. Some phones also come with security keys which can be attached to your secure login - ie. biometrics.