Adam Shostack recently published a great read on why the phrase “X is Security 101” is a hindsight-focused and generally not very useful statement.

I completely agree with his point that people who are (or pretend to be) security experts need to do more than flippantly make this remark when discussing the latest security story. [I think this is part of a larger, symptomatic issue the InfoSec community has, but I’m still formulating enough thoughts on that to publish a post on it].

Mr. Shostack, at the (near) start of 2015, I would like to see your 101 list and raise you mine:

  • Use two-factor authentication for each online service you make use of - at least the critical ones

  • Never reuse passwords across online services.

    • Corollary: use a password manager like 1password, lastpass, or keepass
  • Be careful what you post on Social

    • Corollary: always be sure your Social Media preferences block sharing with anyone other than your friends
  • Always inspect links in e-mails - advice I’ve been following since at least 1996