10 Computer Security Myths to Stop Believing

@ 9:30 Congrats, you all are now a computer GLENUIS

As a 35-year software developer, let me give you props on a good video. You hit the nails on the head and got good points across without diving into too much techspeak.

I work in IT and you'd be amazed how many clients get angry and demand to know how they got infected when they have an antivirus installed. No antivirus software is going to catch 100% of stuff, especially if you're going around downloading and installing everything you come across online.

As a network security professional, I can tell you that most companies still enforce myth 1 religiously. This has the unintended consequence of people choosing weak password, re-using the same password but just incrementing any numbers that are used, or worse of all, writing them down (my favorite is the sticky on the bottom of the keyboard--no one will EVER look there!).

An important note on the last point: Formatting an SSD will not write zeros across the whole drive. SSDs have their own controllers and maps that strategically write data to their flash chips, the OS doesn't have access to the true locations of the files. I have heard of an alternative protocol that does allow the OS to control the SSD more directly but as far as I know it's not really in use anywhere. The reason SSDs are setup to manage their own data is to ensure proper wear leveling which preserves the life of the drive for as long as possible. Having said all that, for better or worse, it should also be much harder to recover data that was deleted from the recycling bin.

As I learned in college getting my cybersecurity degree:
The user is the weakest link to security. You can have all the best practices and procotols in place, but even those can't prevent everything.

Also VPNs aren't really completely private. They're great for getting around geo-restrictions, and for remote work, but as you mentioned in another myth - if you log in or if a website uses cookies, they can still gather information about you. Generally speaking, if you want security or privacy, you can't rely on only a single piece of software - you use multiple strategies that cover different aspects of security and privacy.

Overall, pretty good. A few technical issues I have though.
Myth #2, the "padlock icon" or "secured notice" in your browser just means that the browser is detecting that the SSL cert info matches the web server info and is saying that it's "verifed". It does NOT however mean that "no-one is in the middle messing with it". Man in the middle attacks still intercept secure traffic links to harvest PII. The attacker spoofs the secure connection and you browser can't detect that there is an third party in the mix.
Myth 8, more of a technicality, but keyloggers don't take over your computer, they just collect info on what you type to harvest passwords and other PII. Rootkits allow other software to take advantage of vulnerabilities. They allow other malicious software and users to exploit vulnerabilities and gain access to a machine. Technically, neither are capable on their own to take over your computer.

You did a good job trying to inform people on the myths you listed. I have been working in IT since 1978 and have seen so many changes in the industry overall. My focus currently is with network security in business environments. It amazes me how many business owners either believe these myths or know little to nothing about their network environment. Sometimes the hardest part is getting them to invest in their own security. The alternative can be far more devastating. Thanks for putting this video out!

Here's one I heard too many times in my IT career: "I don't need antivirus, I have a Mac!"
I deliver auto parts now. Much less stressful than arguing with idiots.

Myth 1: You need to change your password frequently. (Creating a single really strong password is better than using weak passwords that you change often).
Myth 2: The padlock icon means a site is safe or trustworthy. (It only means the connection is secured).
Myth 3: Incognito mode makes your internet activity untraceable. (Websites can still track your IP address or recognize you when you login).
Myth 4: Strong passwords are just to stop people from guessing it. (If a website gets hacked, all the encrypted passwords will be shared with hackers who use computers to try to crack them).
Myth 5: A strong password must be complex. (Making your passwords longer is often better than just adding numbers or symbols, unless you're using words alone).
Myth 6: If you're good with computers, you don't need anti-virus. (There are zero day exploits and vulnerabilities that can affect even the most careful users).
Myth 7: Anti-virus will always protect you from everything. (Be careful and use common sense.)
Myth 8: If you have a virus, you'll know it or it will be obvious. (Except for ransomware, most viruses or malware today are spyware that you won't know is on your device).
Myth 9: A strong password is all you need to secure your accounts. (Two-factor authentication is very important).
Myth 10: Deleted files or formatted drives can never be recovered. (Deleted files and quick-formatted drives can usually be recovered with special software).

Note that even a "*slow*" format doesn't do a secure delete. Some drives might have a secure delete operation, but most consumer drives do not. With spinning-rust drives, you're generally fine if you ensure the disk actually writes out 0s to the physical sectors. With SSDs, wear leveling can keep you from ever writing the physical sector again. Bottom line, you should keep sensitive data encrypted, and keep the encryption keys somewhere you *can* delete them (like a hardware key), or at the least keep _them_ encrypted with a password.

I used to maintain a website. In the website logs are the unencrypted usernames of everyone who logged in. Every once in a while someone accidently put their password where their username should go and vice versa. Of course, the server denied them access. Then a few seconds later there was another login attempt with the username and password in the correct order. The password isn't logged. By searching the logs for gibberish usernames, followed by proper usernames from the same IP address I was easily able to find several passwords a week. I reported this vulnerability to my management, but I don't know what they did about it (if anything).

I love how the AI interpreted the "sketchy link" prompt as a literal link that had been sketched.

As someone currently working in infosec, I'd like to point out an issue with the NIST recommendation for never expiring passwords. NIST is designed for government agencies that are already following all of the other guidelines. This means that bodies who follow this will also have modern 2FA, good minimum complexity requirements with phrases, no one is reusing the same passwords, SSO is configured everywhere possible, and these passwords are not being stored in an insecure manner. Not changing passwords IS the best practice if every other best practice is also being followed.
For example, I can guarantee you that many companies have not adopted 2FA more advanced that an SMS message and most users will still be reusing the same passwords for multiple accounts anyways. Also, many of those users will be using the infamous password spreadsheet instead of a manager.

Everything spot on except number 10. With modern flash storage, there is a feature called TRIM on the SSD itself which overwrites files as they are deleted so file recovery now is a bit complicated. An exception is with Full Disk Encryption because TRIM only works on entire files, so when it sees an encrypted file system , it sees a delete operation as an update rather than a delete so TRIM doesn't kick in.

The LastPass password management suggestion really didn't age well in four months given what we've learned about the hack, their security practices, and their subpar browser extension. If the dev groups I frequent are an indication I think there's a mass exodus to Bitwarden, a company which seems to take security much more seriously by comparison.
Also, Incognito Mode doesn't use the cookies/site data stored in the browser picked up during non-incognito mode. That's why you would need to log in to sites again if in incognito mode.

Great content, as usual.
Quick add-on: Incognito mode also deletes all cookies when you close the browser. Great for when you're wanting to log into the same site with different credentials, like when you're alpha testing a website.

The private browsing thing I find funny, because all incognito and private mode landing pages I've seen explicitly tell you what it does and doesn't do. Usually even explaining that your ISP, Employer/School, and the website you are visiting still see the activity.

The deleted files thing is a bit more complicated with SSDs. On mechanical hard drives, it's true deleting (or quick formatting) does not remove the actual data. On an SSD though, deleting a file will, sooner or later, also wipe the data due to the TRIM command. Windows sends this with every file IO (and for quick formats). Linux uses FSTRIM which is usually scheduled to run (ie once per day or whatever). And different SSDs handle the trim command differently.

I like the way you explain stuff, it's very easy to follow along. Would you mind making a tutorial about those yubico authenticators including showing how to add them to various popular services?

Hey Joe, I just realized that I've been watching your videos for over 10 years now. From the troll videos I used to watch in primary school and actually trying them out and being disappointed/angry to today, where I'm studying computer engineering, I gotta say I always enjoyed your videos even if it's about something I understand to the core of it.
You've always been one of my favorite tech youtubers as your videos are always entertaining to watch. Not much else to say besides cheers to another 10🍻

I really appreciate that besides good information, concise, but clear, you have went through the length of mentioning every single edit, its source and provided even links to locations you went to for checking something. That's good editing, and crediting the spots elements you added to your video.

Glad to know I already knew most of these. Only one I missed was part of number 1, that the best practices have shifted to only changing passwords when there's a suspended breach.
The mention of password managers is somewhat lacking, because they're not infallible either. I recall LastPass had a pretty serious breach sometime in the last few years.

Unless that changed recently, long formatting doesn't even overwrite the old data, it just checks every sector. The low-tech technique I use is to create a "filler" file with data from ond of my big files with nothing I worry about in. Then, once I've deleted everything, I re-fill the drive with that filler, and then re-delete it. The data left on the drive is now that filler repeated over and over, not my original files. Quite time-consuming, but worth doing before donating or discarding a PC.

10:05 That guy holding the notebook deserves an Oscar

15:25 - If you truly need data gone you can only do a few things:
1. Do a 7 -12 data pass, using a mix of random data, all 0s and all 1s.
2. FILL up your drive with dummy data, and then do that a few times (all free space after deleting the file).
3. Replacing the drive and destroying the old one
4. If the drive is a spinning drive (not SSD), using a DEGAUSS machine (takes around 60seconds to finish) to modify the magnetic properties of the platters.
It's possible, using very sensitive forensics to recover data on platters, AS WELL as NAND flash used in SSDs, but obviously is expensive / used by higher agencies and targets. Also, it may not be possible to overwrite individual physical locations on an SSD unless the TRIM algorithm and memory controller have cycled through that cell enough times. SSDs usually have around 10%ish EXTRA flash cells for wear leveling, and may not "reuse" a cell for awhile if they instead use other cells to extend the life of the drive.
The best option is to physically destroy the drive. For 99% of users, deleting a file, and then running a 7-12 pass of random data (you can download free programs that do this) is enough to conceal files recovered via "sector based recovery" programs.

Great video. One more myth I would add is that security questions make your account more secure. This really isn't the case. A security question is most often a simpler, shorter password that you can find the answer to from looking at the person's social media account. I always treat security questions as passwords and generate long answers (stored in my password manager)

One of the reasons for changing passwords regularly is that people often see the first characters of a colleague typing their password. Over time they work out the whole password. It's definitely a valid procedure

Theo Joe: your browser history can be tracked even if you're using a VPN
Theo Joe 13 seconds later: private internet access VPN will prevent your browser history from being logged

4:51 hash functions are one way. "decrypting" in this context just means guessing the password a bunch of times, though obviously if the database is leaked the attacker is unlimited in the number of guesses they can do, unlike if they were to try to log on directly to the website.

3:23 Regarding Myth 3. Incognito mode AKA private browsing also has separate cookies from the regular mode and starts off with no cookies but can accumulate them. Private mode cookies are cleared when you close all private tabs/windows.

I liked this video, it more or less echoes what I explain to people. You explain things in a very clear, concise and easy-to-follow way. Only thing I’d add is that these days with SSDs and TRIM, deleted files, whilst they may still be retrievable, are less likely to be so than with spinning rust disks.
One more thing - nothing to do with your actual content - I do feel that VPNs don’t quite do what they say. Unless I’m missing something, they are no more private than using your ISP without a VPN. You’re just moving the breakout point to the internet from your ISP to the VPN provider. Who do I trust more? But yes, they’re useful for watching foreign Netflix stuff but I really can’t see what privacy they offer that really matters. Obviously you as a content creator who gets sponsored aren’t going to be able to reply much…

While private browsing isn't perfect, it does more than you give it credit for.
Cookies are session only, so your searches aren't linked to your Google account and logins from private will be removed when switching back.
No data is stored clientside.
Web trackers get blocked.
Plugins are restricted.
The most important thing it doesn't protect is ip of you and the servers you're connecting to.

Very good! As a software developer, yes: use a password manager, allow it to generate passwords as long and as complicated as the site will allow, rotate them regularly, don't click any links in emails from addresses you're not 100% sure off, don't visit websites you're not sure of, consider using a VPN, keep things up-to-date, and rock on.

Another security myth is that having strict password rules makes it more difficult to crack passwords. In reality, it just makes it easier for hackers because they can narrow down what the passwords will contain.
Also, requiring very long passwords is a terrible idea because most users will just go with the bare minimum length. IE: If the minimum length is 16, then most will just go with a 16, 17 or at most 18 character password. Now the hackers know the most likely length, and will know it must contain certain characters.
This is why tech giants like Google and Apple have fairly lax password requirements, I believe both of them require 8 characters, and may require at least one number. This greatly increases entropy because the hackers have very little information they can use to narrow down the possibilities.

Myth #6 is applicable to Linux. Sure, Linux has some additional protection because it's only about 1% of the operating system market and it relies on software repositories more heavily, but there has been an increase in supply chain attacks that threaten repositories.

About the last one, I believe that if you use SSD and you have TRIM enabled, it's much harder to read that "deleted" data (but NOT impossible!)

Nice video. Some years ago, the word got out that 95% of people who had Windows intrusions, would have avoided it if only they had been using a NON-ADMIN logon account to their local machine. This is why a lot of companies have moved to a stance of nobody having an admin account for everyday use. It's annoying when you can't even use Task Manager to knock a misbehaving app out of memory, or install an updated mouse driver, but when companies started getting tough on that point with their employees, those companies started seeing a lot fewer actual intrusions, especially the really devastating one, ransomware.

My favorite myth is that everyone needs a VPN. You only need a VPN if you travel frequently and/or have a high security job. There are reasons to want a VPN like accessing region locked content or get around content filters. Privacy really isn't a reason to use VPN because you'll still be tracked around the web.

I think a pretty big security myth is that security questions are anything but a super easy express lane to stealing your information. People will use basic biographical security questions such as "the city where you met your spouse" or "name of your first pet" which can be located on their public Facebook page in 5 minutes.

Thanks for the awesome video ThioJoe, keep it up!

Good video. I was an IT support person for years, the number of times I saw passwords written on Post-Its attached to monitors... I'm convinced that in most cases, computer security merely prevents honest people from getting their work done. Half of a tech calls to corp IT are from users who locked themselves out during a mandatory password change. Management smiles and keeps the policies in place.

Myth #2. That lock doesn't mean "secure" it just means "encrypted with a trusted chain of certificates." If you have security software installed on your computer, it can be intercepting your SSL/TLS traffic for "inspection". The browser shows a lock because the software installed a trusted root CA certificate so the software can provide a valid certificate for any URL. (for the software my former employer used, that inspection is done by a remote server, not my own laptop. and within the corp. network, that man-in-the-middle inspection happens at the perimeter firewall, not my laptop, so it can't be disabled.)
[That was a major pain in the ass for us, as every java runtime has it's own private keystore. That CA cert has to be manually installed in those keystores or nothing will work - certificate validation errors to all sites.]

A friend of mine was once going through his task manager when he noticed a program with no icon called "Internet Explorer". After some investigating it turned out that it was infact a crypto miner. He tried to delete it but it came back all the time. Windows defender didnt detect it. Then he installed Malwarebytes which finally fixed the problem...

I've never looked into what quick format does, but I figured it just overwrote the file table, and now that I went back and watched your older video, you confirmed exactly that. Neat that they just did the obvious.

You missed out something EXTREMELY important:
*Myth:* If you forget your password to your computer and you were signed in with a Microsoft account, your data is gone forever.
*Fact:* If you forgot your password to your computer and you were signed in with a Microsoft account, you can reset your password on the site, connect to your computer and try again. If that fails, you can always recover it by system restore. Also, your data isn't "gone forever", just access to that specific installed OS on the machine. You can use an external drive to collect your data since Windows doesn't lock a Hard Drive, just the OS installed on it. If you installed another OS, you can still access your files on the partition as if nothing had happened.
This is something frequent that you need to bring up. Too many people are falling for this and end up senselessly wiping important information.

I learn new computer tricks and stuff with every video that Thio uploads, so thank you man for sharing your knowledge. That said, I have a question: is there a way to lowering the shutdown time of my windows 10? It takes forever to shutdown despite the thousands of tweak I did on my comuter. I could write the list of tweaks I did on my computer to deal with the slow shutdow but it would be too long and we'd be here for a week lol. So, do you know any good trick to make my comuter shutdow faster? Even with my computer knowledge I'm still not able to figure out what's causing this issues.

The password one is such a good one, the company I work for enforces a 30 day password expiration policy with no resuse for 6 months so all that happens is everyone has myfaveword1, myfaveword2 etc and then when they get to 6 or 7 they loop back around the first 1.

Thanks! A great video and very informative 👍🏼

Excellent information; clear and concise delivery !! Thanks !!!

@2:51 it does a bit more than that.. on Firefox, it prevents service workers from being run. It also prevents cookies and other local storage methods from retaining data beyond the session. It also restricts certain JS related things and prevents some forms of user tracking and a few others I'm not mentioning..but saying it's the only thing is an incorrect blanket statement.

Just have unique password per account tbh thats enough using same passwords everywhere is one of the biggest risks

For the password thing:
The reason stronger passwords are more secure is because of how they get the passwords.
When a password is hashed, it can't just be 'unhashed', so hackers will use the algorithm and out in passwords to see what hashes they get out of it for that password.
However, they won't go aaaaaaaa, aaaaaaab, etc. They will go in order of most used passwords so that they can get more passwords out faster.
By using a unique password, it is going to be further down in the list, and thus will be less likely to have been generated and hackers know what the password is.

People commonly have misconceptions about IP addresses. Whenever someone says "I hAvE yOuR IP AdDrEsS!", I know that they have absolutely no idea of what an IP address *is*. Whenever someone asks me that, I'll just explain to them that "every website has your IP address. Your IP address is the *first* thing your computer gives to every website that you visit." The fact that those people think by simply saying some IP address thinking that others are going to be scared just infuriates me.

#1 really hit home.
On my work, due to company policy and cause its a requirement from most of our clients, our passwords expire every 90 days. And the have to be a min of 12 characters with at least on capital, one symbol and one number in them. It make such a pain in the ass every 90 days to come up with something new, and then remember it.

SMS authentication is the WORSE 2-factor. Always avoid it if the site/service allows other methods

In my experience all third party antiviruses are pointless because the built in Windows one is fine, and it doesn't slow down Windows too much. I still disable it because as a software dev it makes my life miserable.

An interesting note: I worked for a big company who used a mainframe as their password server: they only had space for 8 characters, it would not accept special characters, including spaces(!), and was not case sensitive, so good luck creating a secure password. Oh, and you had to change it every 3 months 🙄. I still have to occasionally use their system for financial information.

Myth #11: You will be a genius level expert, by the end of this video.
0:11
Kidding aside 😆

Thanks for the video. I’m concerned about password management sites like 1Password. What if these sites get hacked themselves then don’t all your passwords from emails to bank accounts get exposed all at once? Isn’t that inherent risk very serious?

*U recommended a password manager. How can one guy trust some password manager more than his memory. Cuz what if the password manager is not really secure and all of ur unremembrable passwords are store there may get leaked all at once by it. Can u please make a video on "Password Managers" on how they are more safe than having many unique passwords remembered. Is there any really free way to completely secure urself on the internet without buying a VPN or physical key?*

I use long gibberish passwords (different one for each website), and 2FA on my most important accounts, though the one type of malware that worries me are web injects (which are designed to hack your browser to trick you into using 2FA for the wrong action, i.e. transferring money to some other account). Would be cool to have an up-to-date video on how these work and how you can spot them in action if your antivirus fails.

I'm going to binge your videos and claim the hours for work.... I teach a computer school for seniors and people with disabilities at a non profit and most of it is pretty basic stuff that I, as a millennial with a bachelor degree in business/marketing could do in my sleep. However, every once in awhile the more technical problems come up and you've summed up some of those answers really well just in this one video. Thank you!

Really nice video! For myth 5, 15 character with lowercase symbols is 6.2X stronger than 11 character with lower and uppercase, numbers and symbols on shift number keys (not 10x). Myth 10 is becoming true for SSDs. Once you delete a file and empty the recycling bin, Windowos sends a TRIM signal. This causes the SSD to immediately return 0. However, behind the scenes, the data may not be garbage collected by the flash controller immediately. But to access the data, you need to contact data recovery (and they don't support all controllers. Unlike hard drives, you can't wait more than a year as SSDs lose their data when unplugged over time)

To be fair a web server should NEVER encrypt passwords but hash them with a password hashing function with a salt.

Wow Thio. Super informative. I wish I could smash the like button many times. This was great. I love learning something new and you just offered me a few more sights for my arsenal. Thank you

4.44 You keep repeating myths:
1. Passwords are not encrypted, but hashed - that's a huge difference
so: 2. There is no such thing as "decrypting passwords" in this case. Hackers can only find matching hashes with brute force, and this method (usually) requires more powerful hardware the longer the password is

Some minor nitpicks:
LastPass and 1Password are proprietary and should NOT be trusted with your passwords. Also, both of them do cloud synchronization afaik which is another red flag.
Also, AntiVirus software is useless and does more harm than good. The same goes for 2FA (most of the time).

#6 & 7 i don't particularly agree with. Anti-Viruses are a pain for me as the local town tech. Most common day users in my area install anti-viruses without knowing what it does everyday, What most likely happens is they go off and buy a premium version thinking they need it but just ends up constantly scanning the disk daily, taking up disk resources and over all making it slower. The worst is when this goes on for a long period of time. Hard drives only have a 3-6 year life span and anti-viruses do not help this. Windows has one already built in, you don't need a third party anti virus unless you've disabled windows defender. As you mentioned before sites like VirusTotal are out there to help users determine if a file is trust worthy. Personally I have windows defender disabled in the registry because i have malware on my system in a contained environment that i like to mess with on VMs. If i do scan for viruses, it's with malwarebytes. I scan once a year, then make sure it is closed in the task manager after use and disabled on startup.

Very good advise and clear explanations. Thanks.

Excellent job of quickly going through those things! WELL DONE.

pro tip: if you really need/want to change frequently ur passwords, change for a really secure password and note them in a physical notebook. No one in the digital world can mess with your analog stuff :)

Your videos are very good. Keep up the good work! ✊🏻

Interesting video. One thing you didn't mention was sandboxing programs. I use Sandboxie,and have for many years. My browser and email client are both sandboxed all the time,and I have had no issues with malware infection. When I turn in for the night,I just delete the sandbox contents.

10:13 I love how the guy slamming the MacBook had flipped the lid upside down and using keyboard as his screen lol 😂

*The fact that many government websites in India doesn't have "Padlock" encryption certification and I have to click "Continue to unsafe site" and then enter my "Secure" information anyway. So it's useless. Even some websites are unopenable because of such security thingy.*

Remember that malware can be well-obfuscated and have little to no VirusTotal detections

I used to be one of those people who thought I know what I'm doing, I don't need an antivirus. And I was okay for a few years until one day my computer started acting really strangely and I couldn't figure out what was going on. After a few days of googling and trying everything I could to fix it with no results, I downloaded a virus scanner and ran it. Sure enough, I had two viruses on my system that were causing all the problems. I recently had to disable my virus scanner when attempting to determine the source of a problem and I learned Windows incessantly bothers you, telling you don't have a virus scanner running if everything is turned off.

On the quick format: What about encrypted drives? Wouldn't the quick format overwrite the encryption key so that the newly-free space is essentially unreadable (AKA you need to find a backup of the overwritten key in order to recover stuff from there)?
I mean I believe the SATA secure erase command relies on encryption to do so quickly.

Im so happy whenever this man uploads. Lets go dude, keep it up

They biggest myth of all is that it's possible to keep your Microsoft Windows PC secure.

The padlock icon also means your data (e.g. login information) is encrypted both ways. It's good to know because some VPN providers also claim that your connection is encrypted by their service to/from any website you use (padlock icon or not) but that's not possible.
When you use a VPN, a tunnel is created between you and the VPN that encrypts your data. So it prevents anyone from "seeing" your data between you and the VPN server.
But it can't do anything about the part between the VPN and the website. If you access a server that doesn't have the padlock icon, your VPN can't protect your data from prying eyes. If it does have a padlock icon, you don't need to worry about encrypting your data, the browser and server do it for you. So if that's the only reason you're getting a VPN, not much point except that it does encrypt part of the path between you and the server so it's doubly encrypted for that section.
But a VPN is great for the other stuff, hiding your IP, bypassing geo-locking, and hiding your information from your ISP for those non-padlocked sites. It'd also prevent your DNS information from being exposed for padlocked or non-padlocked sites. So your ISP and anyone between you and the VPN won't know what websites you browsed even if they don't know what is in the data. That's good in those more freedom-challenged countries especially.

So helpful and informative. Thank you - subscribing now

Good to know that channel that was once known for click baits is now making such great informative videos!! I'm loving these 🤩

I wouldn’t recommend being *crazy* suspicious, but yes, if you see something that looks weird, then stop and think where your vulnerabilities lie.
I know people who are convinced that everything they experience that seems weird must mean that somebody has hacked into their computers.
Most importantly, be aware by watching lots of ThioJoe videos!

7:50 like Feynman's safe combo cracking technique: learn enough of the person to guess what piece of info they used as their combo and take advantage of the slop in the combo knob

Well done. Quite informative. I remember when Norton was selling his undelete utility in a ziplock bag. Some things never change.

Well looks like I didn't really believe in much of those myths. Some I did in the past, but I learned on my own that it's false. Like whenever I would update my passwords at least twice a year, I mostly try to make it longer. And I would possibly change them whenever there might have been a data breach.
As for Antiviruses, it seems quite obvious that you would always need one even if you're good with tech. Plus whenever there's new malware, then of course your antivirus isn't going to know about it.
I remember some frustrating things that happen whenever I make normal non-harmful applications. My antivirus can be like "Hold on! This file looks suspicious!", and I'm like "Come on! This isn't even a virus!". One time when I made an audio converter program, when I made it delete the old audio file. My antivirus saw it was ransomware. And I did of course get to restore it, since it wasn't ransomware. Sometimes an antivirus can get in the way of even the most normal stuff. But it's better to have one, than to get an actual virus or malware on your system.

A few comments I have (corresponding to each myth):
1. My school does this, it's so annoying! They should watch this video lol
4. Very well explained, thanks, I'll keep this in mind!
5. Good point!
9. I knew about physical security keys before, but I had no idea how good they were! Thanks, I'll keep this in mind as I might purchase one in the future.
10. Woah I actually had no idea, yet it makes so much sense! Thanks again!!

My CZcams password hasn't changed in at least 10 years. It's a very long password. I've never been hacked. Now, I know why. Thanks for this informative video!

Last Pass is part of a data breach.

“never underestimate windows security”

You kind of can backup Google authenticator. You can generate a QR code, and transfer/copy your accounts to a secondary phone, and keep that as a backup. I've been doing it for a couple years now. My new everyday phone has it, and then my older one that I keep as a backup phone is also my Google authenticator backup. Any new accounts I add to one I can either scan the new code with both phones at the same time, or just do the transfer again, and it will keep all the old accounts, but add any new ones that I've added with the new phone.

Incognito mode does more than just not cache what you're doing when the browser is closed. It also comes in handy if you think you have an outdated cookie causing an issue but don't want to clear the cache. You can open in incognito mode and it won't use cookies that are already in your cache. It also comes in handy if you want to have more than one account logged into the same site at the same time using the same browser instead of using 2 different browsers.

Excellent video! Only thing I would say is that multifactor authentication is a must for your email... Easiest way to break into other "secure" accounts is by hacking your email, and using forgot password link. Email password should be unique to that one site, and protected by multifactor... If you don't have a password manager, I personally think it's fine to use same password on stupid sites that don't matter much (aka don't have any personal or financial info). But your email, social media and financial sites should follow all recommendations he gave here.

7:20 - I use some sort of a system for passwords: I have a text file (with no txt extention of course) which serves as a password reminder. There I write every new password with dots or asteriks instead of some letters and symbols that I have in my head and on a paper (in a safe place). So for example I write "my old online-chess password plus my year of birth plus my band's name without spaces" and etc.
Some passwords has no "base word" (that it's nowhere in the PC), they're just descriptive in a manner like "our died black dog name, semi-pudel-semi-rotweller dog name" plus some year numbers with dots and another explanaition how to get it from my head. Nobody knows any of my dogs' names, these are not in social networks. Nowhere literally.
But actually the length isn't very satisfying. It's usually about 14-18 symbols. I guess it's not very safe yet :)
P.S. I have a "trash pass" of course. For "special" sites ;)

Great video. Didn't really learn anything, but I know many people, including in the IT department at work who could use this knowledge. I especially liked when you said the length of a password is more important than complexity. I was very angry at my bank a few years ago when they wouldn't let me use my password because it was too long. It was 10 words long, not 10 characters, 10 words. I was also annoyed that I was not allowed to use the space bar in my password. Password rules are often preventing good passwords.
One other tip I would definitely add to computer security. Only be admin when you have to be. I have a separate admin account that I have to promote myself with with a password whenever I am making any meaningful changes to my home PC. It is amazing how many issues get blocked when I realize that no, I don't want to promote myself to admin for that.

coming back 2 years later watching a video this guy is this making legendary videos.

That thing about deleting files made me think of a way to illustrate it, and then I realized that a lot of people wouldn't understand what I was talking about. It went something lie this:
The HDD in your computer works a bit like this. You have a collection of cassette tapes and on each tape you write down what you have recorded on that tape. So you have this C90 cassette with Lynyrd Skynyrd, and one day you realize that it's been years since you listened to it, and if you would want to do so you have the LP, so you strike out the name on the label and now the cassette is free to record something else on and you place it in the box with "empty" cassettes. That's the same as deleting a file on the HDD. Now if you don't record over or erase the cassette and you try to play it there's Lynyrd Skynyrd in all it's glory. Same with the HDD, if you read from the part of the disk where the file used to be stored it will still be there unless it has been over written by something else. Now if you record a EP single on that "empty" cassette that was your Lynyrd Skynyrd cassette then you will have the single recorded, but after that there's still the part of the Lynyrd Skynyrd LP that was not recorded over by the single you now recorded. Again that's the same with the HDD. If a small new file is recorded over a part of the sectors that contained the original file that was deleted you will now not be able to recover the entire deleted file, but parts of it can still be read.
I got that far and then I realized that a lot of people watching YT will never have had a cassette player. It's even possible they might never have seen one in real life!
And suddenly I felt old...