Some of the biggest myths about hacking have been challenged in a new open letter from leading cyber experts. 

The letter, signed by a group of current and former Chief Information Security Officers (CISOs), security leaders, and practitioners, aims to correct common misconceptions about everyday digital risks facing people and small businesses. Meanwhile, it highlights the practical steps that actually can make a difference to device security.

The open letter is led by Bob Lord, former security chief for Yahoo, Twitter and the Democratic National Committee, who says he has long been frustrated by what he terms ‘hacklore’ – scary-sounding security tips that persist through repetition, even when evidence does not back them up.

He has launched hacklore.org to challenge this kind of cybersecurity folklore, arguing that it distracts people from the simple, proven steps that genuinely cut everyday cyber risk.

Top of the myth list is the idea that you should always avoid public wifi. While a recent report from Google warned that public networks are easily exploited, the experts point out that large-scale attacks via public wifi are now very rare. 

Modern apps and services typically use strong encryption, and today’s operating systems and browsers warn users when connections are unsafe. 

The letter makes similar points about QR codes, Bluetooth and contactless functions, noting there is no evidence of widespread crime caused by QR-code scanning itself, and that real-world wireless exploits are extremely rare and usually require specialist equipment, physical proximity, and unpatched devices.

The experts also push back on some long-standing ‘best practice’ tips. Frequently changing passwords, for example, can encourage people to choose weaker options and reuse them across accounts – both of which increase risk rather than reduce it. 

Other familiar warnings, such as never using public USB charging points, always turning off Bluetooth and NFC, or constantly clearing cookies, are also labelled as distractions from higher-impact protections.

Instead, the experts recommend focusing on a small set of proven measures: keeping devices and apps up to date, turning on multi-factor authentication for sensitive accounts, and moving towards passkeys – a newer sign-in method designed to replace passwords. 

They also stress the value of using a reputable password manager to generate strong, unique passwords where needed and to store passkeys securely.

East Midlands Cyber Security Cluster founder, Dr Ismini Vasileiou, said: “It’s easy to get lost in scary headlines and conflicting advice, but most people don’t need to live in fear of public wifi or QR codes. 

“What really matters is getting the basics right every day – updating your devices, turning on multi-factor authentication, and using strong, unique credentials. If more individuals and small businesses focused on those simple steps, we’d see a far bigger improvement in real-world cyber resilience.”

“Alongside this, our EMCSC cyber workshops give businesses the chance to turn good intentions into practical action. 

“By taking part in these sessions – and joining us at the East Midlands Cyber Summit 2026 – organisations can get hands-on support, ask questions in a safe environment, and leave with clear next steps to strengthen their resilience. 

“These are real opportunities for leaders to understand their real risks and build the capabilities they need for the long term.”