A Christmas Fail – Putting Holiday Hacklore On The Naughty List

Every holiday season, we retell strange and wonderful stories: yule cats prowling Iceland devouring children without new socks; Krampus, the horned shadow of St. Nicholas, punishing naughty children in Germany; and Tió de Nadal, a magical log that “poops” candies and gifts in Catalonia. Folklore (no matter how strange) is part of the season’s charm.

In IT and cyber security, we have our own folklore—or rather, hacklore: well-meaning stories that started from a grain of truth but have been repeated so often that they have become fact, even when the technology landscape has moved on. The best gift you can give this season is being able to separate the facts from the cybersecurity myths and misconceptions. So let’s call out a few of the most persistent pieces of hacklore, explain why they no longer hold up, and put them on the naughty list before they do more harm than good.

Myth #1 - Don’t connect to public Wi-Fi

If you’ve been watching the news headlines this month, this one might look familiar: “TSA warns travelers to avoid free public Wi-Fi”. The coverage makes it sound like hackers have infiltrated every transport hub with free Wi-Fi. In fact, this lore is so embedded in the public psyche that, if you tell someone you work in cyber security, they will gleefully tell you how they know not to connect to public Wi-Fi and use a VPN at all times.

The origins of this hacklore date back to a time when most internet traffic wasn’t encrypted and you could grab plain text credentials out of the Wi-Fi-filled air. However, the world has moved on. Now, the vast majority of modern apps and websites use encryption to protect your web traffic, browsers and apps warn of unsecured connections, and messaging apps add end-to-end encryption.

The most common risk is the same no matter what network you connect to: fake login pages that compromise your credentials. This could be a phishing login page that appears when you connect to some public Wi-Fi, or when you click a link in an email on your home Wi-Fi. We need to warn people more about where to enter credentials and less about where to connect to Wi-Fi. Enabling multi-factor authentication should be at the top of your Christmas list for the same reason.

This hacklore is in part driven by consumer VPN apps that claim to secure your web browsing from the prying eyes of attackers—while, at the same time, neglecting to mention that they can snoop on all your traffic and won’t protect against rogue login pages that phish credentials.

Myth #2 - Developers/Engineers/Support Desk need standing privilege

I recently spoke with an IT leader whose organization had removed 5000 local administrator accounts, but, just like in The Santa Clause, you have to be wary of the small print. Their policy said that users who needed this privilege reinstated just needed a director’s sign-off.

This of, course, resulted in a flurry of “admin gifting” as directors blindly signed off on 4200 requests as if they were Christmas cards. They believed the lore: that local admin privileges are needed, and that it was easier to just elevate the entire account than to grant only the specific permissions a task actually required.

When it comes to any form of privileged access, you shouldn’t hold on to it all year-round. Instead, you need a just-enough and just-in-time (JIT) approach—much like how I do gift shopping. Users, no matter how technical (or senior), don’t need permanent, always-on privilege; they need frictionless, just-in-time (JIT) access for when a task truly requires it.

In the age of identity threats, the number one thing on the threat actor’s wish list is compromising an identity with standing privilege. That isn’t just about local admin rights. It applies to dozens of privilege escalation pathways across on-prem systems, cloud environments, and in SaaS applications. So, when it comes to privilege, less is more this holiday season.

Myth #3 - Changing passwords regularly

You’re making a password, you’re checking it twice; gonna find out who’s been compromised.

We used to encourage users to change their passwords regularly, with some companies enthusiastically enforcing 30-day limits. The result reads much like a Christmas cracker joke: “What do you get if you force users to rotate their password every month? Weaker passwords!”.

Like much cybersecurity hacklore, it actually detracts from solving the real problem. What we need is for users to not reuse passwords across multiple systems and focus on using a strong password, ideally alongside strong MFA. By forcing regular rotations, users are more likely to reuse and recycle passwords to help them remember, thereby lowering the security of their identity.

Since 2024, NIST guidance (SP 800-63B) has recommended rotating passwords only after a confirmed compromise because, if they haven’t been compromised or shared, then one strong password is better than 10 weak ones. There are, of course, exceptions for privileged accounts, shared accounts, and non-human identities, where having an enterprise secrets management solution is essential for securing and managing those credentials.

And one more thing…

Instead of reflexively warning people not to scan QR codes or use public USB ports to charge their devices, and to clear their browser cookies regularly, let’s focus on helping them secure their identities and spot real scams in 2026.

Folklore travels and endures because it’s vivid, memorable, and social. Cybersecurity hacklore is no different. With vivid images of hackers in the shadows wielding magical exploits, it’s easy for cybersecurity myths and misconceptions to outrun the truth. Every industry has its own lore, from urban legends to superstitions. So before you tie a bow on another piece of outdated advice, make your New Year’s resolution to focus on reducing real risks over telling winter’s tales.

This season, unwrap the real risks in your environment with the complimentary BeyondTrust Identity Security Risk Assessment.