10 Outdated Security Practices You Should Ditch Today

Having spent over a decade reporting on cybersecurity, I’ve witnessed an impressive transformation in security practices and technologies.

Yet, it’s disheartening to see that many individuals and organizations still cling to outdated practices, which only create a false semblance of safety.

Let’s delve into 10 outdated security practices that continue to be relied upon, even though they have become ineffective in the current threat landscape.

Mandatory Password Changes Every 30-90 Days

Requiring users to change passwords regularly without sufficient rationale can lead to unforeseen issues.

When users are forced to update their passwords frequently, they often resort to minor variations of old ones or utilize simple patterns (like appending a number at the end or substituting a letter with a symbol).

Research indicates that such behaviors can ultimately diminish password security, as attackers can exploit these predictable modifications.

A more robust solution is to advocate for longer, complex passphrases, which are both easier for users to remember and tougher for attackers to guess.

Employing a password manager can also elevate password practices significantly. These tools generate, store, and autofill complex passwords, thereby diminishing reliance on memory and eliminating the need for insecure, frequent changes.

Moreover, rather than enforcing arbitrary password change policies, organizations should prompt updates only in response to concrete evidence of a security breach. This focused approach not only enhances security but also cultivates a user-friendly experience, encouraging users to value password security more seriously despite fewer changes.

Complex Password Criteria Without Context

The push for incorporating uppercase letters, numbers, and special characters often results in predictable combinations, such as “Password1!”, which can be easily cracked by modern tools.

Additionally, these stringent requirements may inadvertently lead users to write down their passwords.

Instead, emphasizing password length—ideally between 12 and 16 characters—and promoting the use of password managers can significantly improve security. These applications can generate and securely store genuinely random passwords.

Security Questions for Account Recovery

Common security questions like “What’s your mother’s maiden name?” or “What was your first pet’s name?” are often used for account verification.

However, these questions hinge on information that can easily be found via social media or data breaches, making them an unreliable choice for securing accounts.

Such publicly accessible personal information weakens these security measures and creates vulnerabilities for unauthorized access to your data.

A more effective method for securing your accounts involves adopting app-based multi-factor authentication (MFA) or using physical security keys.

MFA provides an additional layer of security by requiring both your password and a secondary verification method, such as a code sent to your smartphone or an authentication app, which drastically lessens unauthorized access possibilities. Even if someone manages to obtain your password, they still would need the second factor for login.

Moreover, utilizing physical security keys, like YubiKeys, offers an added level of security. These devices require physical possession for account access, greatly hindering potential unauthorized entry, even if a password is known.

SMS-Based Two-Factor Authentication

While any form of two-factor authentication is certainly better than having none, SMS-based verification is fraught with risks such as SIM swapping, interception, and social engineering tactics.

Even though these vulnerabilities exist, many services continue to promote SMS as their primary security feature.

A more secure solution involves using authenticator applications like Microsoft Authenticator or Google Authenticator, or opting for physical security keys whenever feasible.

Antivirus as the Panacea for Security

Traditional signature-based antivirus solutions often fail in the face of modern cyber threats.

These contemporary threats include zero-day exploits—unknown vulnerabilities—fileless malware that operates in RAM, and sophisticated phishing campaigns designed to bypass basic security defenses.

Many users mistakenly believe that having antivirus software installed guarantees comprehensive security against these evolving risks.

Unfortunately, this misconception can foster a false sense of security, leaving systems exposed to breaches.

To strengthen security effectively, it’s vital to adopt a layered defense strategy. This should include Endpoint Detection and Response (EDR) solutions that provide real-time monitoring and remedial capabilities far beyond standard antivirus protection.

EDR tools scrutinize endpoint activities, ensuring continuous visibility and defense against intricate attacks.

In addition to EDR, maintaining timely system updates is critical. Frequent updates to operating systems and applications ensure that any known vulnerabilities are swiftly patched, thereby lessening the risk of exploitation.

Also, offering security awareness training for users is essential. Educating personnel about the latest phishing tactics, safe browsing practices, and the importance of promptly reporting suspicious activities can significantly bolster overall security.

By integrating these strategies, organizations can create a resilient defense against the increasingly sophisticated cyber threat landscape.

Relying Solely on Perimeter Security

The old “castle and moat” defense strategy presumes all threats are external.

However, insider threats, credential theft, and supply chain compromises can easily bypass these perimeter defenses.

A more productive strategy involves adopting zero-trust principles, premised on the idea that nothing should be automatically trusted—inside or outside the network perimeter.

Relying on Obscurity as Security

Many still believe that hiding information—such as obscuring admin panels through obscure URLs or relying on proprietary encryption—provides security.

However, security through obscurity offers minimal defense against determined attackers.

A more effective strategy entails deploying transparent, well-tested security measures while acknowledging that attackers will find vulnerabilities in your system.

Heavy Dependence on Knowledge-Based Authentication

Authentication methods relying solely on knowledge, such as passwords or PINs, have become increasingly susceptible as massive data breaches expose personal information to attackers.

A superior methodology involves implementing multi-factor authentication, which combines something you know with something you possess (like a security key) or something that identifies you (biometrics).

Manual Patching of Security Vulnerabilities

Delaying updates or selectively applying patches leaves systems vulnerable to known exploits.

Many organizations still rely on manual patching, which includes lengthy testing cycles that slow down the process.

A more effective approach would be automating patch management, utilizing testing environments, and prioritizing vital security updates.

Compliance Checklists Instead of Focusing on Security Outcomes

Just because an organization meets compliance mandates doesn’t guarantee its security. Many focus on ticking regulatory boxes rather than genuinely improving their security posture.

A more effective approach is to consider compliance a foundational level of security, rather than the end goal. Organizations should strive to design security programs that address actual threats and continually evaluate their effectiveness.