The Cybersecurity Habits That Actually Work: Lessons From a Conversation With Bob Lord

On this week’s episode of What the Hack I talked to Bob Lord, a highly respected cybersecurity expert and renowned authority on digital risk. Spend any time around cybersecurity professionals and one thing becomes clear: clarity matters–a lot. 

Lord is no exception. His message is as simple as his prescription. Lord believes most cyber risk can be dramatically reduced, and that most of the anxiety people carry about “advanced threats” distracts them from taking meaningful action to protect themselves. 

Lord was so frustrated about this tendency that he wrote an open letter and got 100 cybersecurity luminaries to sign it. 

The “Stop Hacklore” open letter calls for an end to the FUD-flogging folklore, wrong-answer tactics that too often masquerade as cybersecurity advice. It targets outdated advice like avoiding public Wi-Fi, QR codes, public USB charging ports and the need to regularly change passwords, clear cookies and turn off Bluetooth and near field communication (NFC). 

Clearing away bad advice only matters if people know what to do instead. The “Stop Hacklore” letter provides that much-needed guidance. The advice begins and ends with grounding ourselves in habits that consistently shut down the kinds of attacks ordinary people actually face.

Lord’s core principle is straightforward: the baseline for cyber incidents often comes down to a handful of preventable failures. That’s why he focuses on basics that fall under the rubric of everyday resilience. These include using passphrases, implementing a password manager instead of recycling passwords, updating devices and software when you get the notice to do that, and although he doesn’t mention it, I’m just going to add here that it’s crucial that you pause when a message or any other communication says you need to do something now. Urgency is one of the clearest signals that you’re dealing with a threat actor. 

What makes these fundamentals powerful is not their novelty but their simplicity and functional value because at the end of the days, threat actors are low-effort people. When your defenses are simple, predictable, and regularly maintained, you raise that effort-cost dramatically without needing to worry about a DEF CON demo that’s never been seen in the wild.

If there was one point Lord returned to repeatedly, it was the neverending gobsmacker-like value of multifactor authentication. He sees MFA not as an optional upgrade but as a universal safety measure that can reliably stop entire categories of attacks. Passwords leak. Hackers can “guess” them with very little skill. They can be stolen or phished. A second factor is the barrier much harder for criminals to overcome because it means having mad social engineering skills (possible but only a real threat to high value targets) and often, access to the device or account where that second-layer was delivered.

In the realm of MFA, there is a spectrum of coverage. Text-message codes are good, authenticator apps are better, and hardware security keys are best for anyone at elevated risk. But the takeaway in the “Stop Hacklore” letter is super democratic: any second factor beats none at all. The failure mode Lord worries about isn’t about choosing the “wrong” MFA tool—it’s not using one.

He also offered another rule of safe online life: if you get a login approval prompt you did not initiate, decline it and secure the account immediately. That scenario almost always means someone already has your password.

The thing that makes “Stop Hacklore” standout is a message we don’t hear nearly enough: the distinction between what is possible (think “Mission Impossible”) and what is probable. 

The real danger is mundane. Phishing messages, powered by AI, that look like something you’ve seen before, and might even be expecting (courtesy a data compromise at a service you use). The attacks come from old passwords exposed in long-forgotten breaches. It’s based on hitting an unpatched device. It’s fraudsters exploiting publicly available personal information to impersonate you convincingly enough to slip past customer service because there are hundreds of pieces of your data “out there” waiting for you to do something about it.  

Lord’s point isn’t that high-end attacks don’t exist. It’s that defending against the most likely ones delivers far more safety for much less effort. A security posture organized around probability, rather than possibility, removes fear from the equation and replaces it with a sense of proportion—and four things you can do right now.

Lord’s frustration with outdated advice and misplaced focus is really about attention. Most people don’t need a cybersecurity overhaul—they need clarity about what matters.

His model rejects fear and replaces it with maintenance: turn on MFA, use a password manager, update your devices, and use passphrases. If you want my two cents: treat urgency as a warning sign, not a cue to act, and use DeleteMe to remove your PII from people search sites because your data is everywhere, and so is the crime it enables.

That’s it. No overhaul required—just good habits that scale.