Interview with a Pentester/Cybersecurity Expert

What format or length password is best?

Q: I’ve heard capitals and alphanumeric characters are essential, but I also heard creating something really long, all in lowercase, is better. What’s the truth?

A: "Best" is really hard to quantify. Studies have shown that very long, all-lowercase passwords can be as secure as shorter, more complex passwords.

The downside is that using simple metrics like length or character types to judge strength isn’t fully accurate. For example:

• Password123! and AcUp6wq*tu_Y are both 12 characters long and use different character types — but one is much easier to crack.

There was an XKCD comic a while ago about using long, all-lowercase passwords instead of complex ones. But that approach relies on outdated ideas about entropy.

That said, these types of passwords can still be secure today — mostly because they aren’t super common yet. However, tools already exist that can guess these passwords when they become more popular (like this semantic guesser).

A method I often recommend is based on Bruce Schneier’s approach, where you create a personal passphrase and then apply your own unique alterations to make it more random. This makes for strong passwords that are still memorable.

---

If your personal info is online — say your address, phone number, or email on a resume — is that a security risk?

A: Absolutely. Any time you release your personal info publicly, anyone can access it.

This is a big deal when it comes to things like vishing (voice phishing). If your phone number is easy to find, you become a much easier target for those types of attacks.

---

Is 2FA essential? It’s kind of a pain.

A: 2FA is essential for anything that really matters.

The idea is simple: you want breaking into your account to be more trouble than it’s worth. For low-stakes accounts (like Pinterest), a strong password might be enough. But for anything holding sensitive information, 2FA is a must.

---

Is there a device that makes 2FA easier — like a physical fob?

A: Yes! There are MFA apps that centralize all your codes in one place (like Google Authenticator or Authy).

Some password managers can also store 2FA codes for you, but that’s a bit controversial — it puts all your security in one place, which some people (myself included) are cautious about.

---

How do you feel about password managers — like Chrome’s built-in manager, or 1Password?

A: I love password managers and think everyone should use one, at least for low-risk passwords.

Most people have 100+ accounts, which is impossible to manage with unique passwords in your head. A password manager helps generate and store strong passwords.

That said, I don’t trust built-in browser managers (like Chrome’s). Google’s track record on privacy isn’t great. Personally, I use 1Password (no sponsorship — I just like it), but Bitwarden is another solid choice.

Pro tip: Before picking a password manager, search "[Password Manager Name] Breach" to see if they’ve had any major security incidents.

---

What file types could install spyware or malware on your computer? Could a JPG or PDF do it?

A: Lots of file types can be risky, including:

• Executable files (.exe): Can directly install malware.
• Script files (.ps1, .js, .bat): Can run harmful code.
• Macro-enabled documents (.xlsm, .docm): Macros can contain malicious scripts.
• PDF and HTML files: Sometimes contain dangerous embedded scripts.
• Compressed files (ZIP, 7ZIP, RAR): Can hide malware inside to evade antivirus.

Rule of thumb: If you don’t trust the file or source, don’t open it.

---

What antivirus (or general anti-malware software) do you recommend?

A: If you’re using Windows, Windows Defender is honestly your best bet. It’s built in and performs well.

For Mac, the built-in protections are decent, but you need to be careful about what permissions you give apps. I’ve heard Intego is solid for Macs, but I haven’t tested it myself.

For Linux, malware isn’t as common, so there aren’t many strong antivirus options — but most Linux users know what they’re doing anyway.

---

Are browser extensions a security risk?

A: Yes, they can be.

That said, popular extensions with lots of good reviews are usually fine. If you find an extension with few users or reviews, I’d be cautious.

---

What are the 3 worst things you can do online if you want to avoid being hacked?

1. Clicking malicious links — especially in emails.
2. Downloading and running sketchy programs.
3. Reusing weak passwords across multiple accounts.

---

Are WordPress sites secure?

A: They can be — but most aren’t.

The biggest issue is people neglecting updates. Vulnerabilities in outdated plugins, themes, and WordPress itself are the most common way sites get hacked.

---

Could you hack into a site — like someone’s Gmail — if you wanted to?

A: With infinite time and money, a determined hacker could break into almost anything.

That’s why good security is about making yourself such a pain to hack that it’s not worth the effort. MFA plays a big role here.

---

Is it safe to store confidential info on your hard drive? If not, where should you store it?

A: Your hard drive is only as secure as physical access to your computer. If you’re the only one who uses your machine and it’s encrypted, you’re fairly safe.

But if you want extra security, offsite encrypted storage (like Box or another cloud provider) is often better.

---

Final Note:

Thanks for answering all these questions!