Stop Hacklore – An Open Letter

Original Article ↗ Hacker News Discussion ↗

Overall reception of the letter

  • Many see the letter as partly useful but incomplete: it challenges outdated “folk” security practices, yet critics argue it understates real risks and leans toward defeatism.
  • Supporters like the focus on practical risk and user cognitive limits: stop telling people to do low‑value rituals so they can focus on what actually prevents compromise.
  • Detractors frame it as corporate/CISO spin that normalizes tracking, weakens privacy expectations, and conditions people to be less cautious.

Passwords, rotation, and managers

  • Strong agreement that forced frequent password changes often backfire: people write passwords down or trivially mutate them.
  • Disagreement on whether rotation is still useful:
    • One camp: unique passwords + manager + breach-driven changes are enough; rotation adds little.
    • Other camp: since users are imperfect and reuse passwords, rotation can still mitigate credential reuse from leaks.
  • Wide support for password managers as the only realistic way to get unique, strong passwords at scale.
  • But strong skepticism of cloud-based managers and web-delivered encryption code (supply chain, legal coercion, targeted attacks). Some prefer local tools like KeePass.
  • “Password managers = one password for everything” is vigorously disputed: they reduce blast radius, especially when combined with MFA and autofill-only behavior.

QR codes, public WiFi, and technical attack vectors

  • Letter’s downplaying of QR-code danger is contested: some argue QR-based phishing and malicious hosting are very real; others say QR risk is just “link risk” and should be treated like any URL.
  • Similar split on public WiFi:
    • One side: HTTPS, HSTS, modern browsers, and DNS-over-HTTPS make typical MITM attacks rare; overemphasis is outdated.
    • Other side: rogue APs, local network exposure, and CA/ecosystem failures still justify caution.

Privacy, tracking, and “defeatism”

  • Several commenters object that the letter treats privacy as out of scope: “don’t bother with cookies/VPNs” is seen as capitulating to pervasive tracking and dragnet profiling.
  • Others counter that the document is explicitly about basic infosec for mainstream users, not comprehensive privacy or high-risk threat models.

Security theater and user burden

  • Commenters attack secret questions, composition rules, and extreme password policies as classic security theater that worsens real security.
  • Multiple people stress that users have finite attention: removing low-impact rules is itself a security win, but only if replaced with high-value basics (unique passwords, manager, MFA, updates, phishing awareness).