Charlie Munger was fond of an idea he borrowed from the mathematician Carl Jacobi: invert, always invert. Many hard problems are best solved backwards. If you want to know how to live a good life, study what makes a life miserable and avoid those things. If you want to build a great company, figure out everything that would destroy one and then just don’t do those things.
So let’s apply the same trick to personal security. Instead of asking the exhausting question with a thousand answers - “how do I stay safe online?” let’s ask the much clearer one: what would I do if I wanted to guarantee I get hacked?
I can’t guarantee you’ll never get hacked; but if you want to get hacked, follow these steps and your accounts will be drained, your identity borrowed, and your inbox weaponized in no time. Avoid them, and you’ll have done most of the work of staying secure.
This is the single most effective thing you can do. Pick one password. Ideally something memorable like your dog’s name and a birth year, or the year you graduated, or your anniversary date. Now use it for your email, your bank, your shopping accounts, your work login, everything. If you want to feel smarter than you are, make small tweaks sometimes. No one will ever guess that your Facebook password is spot1990facebook when they find your Twitter password is spot1990twitter.
Data breaches happen constantly, and when some random forum or retailer you forgot about gets breached, your email and password end up on a list that gets traded, sold, or made freely available on the right forums. Attackers then take that pair and try it automatically against thousands of other sites. This is called credential stuffing, and it’s cheap, fast, and fully automated. Your password only has to be leaked once, anywhere for an attacker to have a master key to all fo your accounts.
The inversion: Use a unique password for every account. A password manager generates and remembers them for you, so the only password you have to know is the one that unlocks the manager.
When a site offers to send you a code or use an authenticator app, decline. At best it takes a few extra seconds at login, if you have your phone nearby and don’t get distracted as soon as you pick it up, and honestly who has the time? Besides, a username and password is already two factors…
Even if you do everything else wrong, MFA is a safety net that will fairly reliably save you. An attacker with your password still can’t get in without the second factor. Safety nets are for acrobats and nerds. You don’t need no stinkin’ safety net. You’re not an idiot, you’re not going to share your password with anyone, so why bother with MFA?
The inversion: Turn on MFA everywhere it’s offered, starting with your email and bank. Most password managers have MFA support built in these days that makes it almost completely transparent to you. Avoid text messages as MFA where you can, since SMS codes can be intercepted - but any MFA is dramatically better than none. So if SMS is all that is available, it is better to use it than to not.
You think people would just go on the internet and tell lies? The email warning that your account will be closed in 24 hours? Click the link immediately and enter your password. The text about a package you don’t remember ordering? Tap it. The urgent message from your bank or your boss asking you to act fast? Do exactly what it says.
Urgency, fear, and authority are powerful motivators and are not to be trifled with. If the message isn’t real, no harm, right? But if it is real and you don’t act with urgency, that could really ruin everything. Your boss needs those gift cards before his big meeting, and it’s your fault if he doesn’t get them. The more reflexively you click, the better this works.
The inversion: Slow down on anything urgent or unexpected. Don’t click links in messages that pressure you; instead, go to the site directly by typing the address yourself. Verify surprising requests through a separate channel such as by calling the person or organization that you supposedly got the message from.
Those “update available” notifications are annoying. Dismiss them. Keep that “remind me later” button warm. Let your phone, your computer, your browser, and your apps run whatever version they are on. Who is this computer to tell you what to do, anyways? If it ain’t broke don’t fix it, right?
If there are no new features you care about, or no bug getting fixed that has been bothering you, then why should you bother? I mean, no one would ever target you, so who cares if some software has a “vulnerabiity?” The longer you go without patching, the more advantages you give attackers to get in or to get more information once they are in.
The inversion: Turn on automatic updates for your operating system, browser, and apps. The occasional restart is a small price for closing doors that attackers are actively trying to walk through. These days most things pick up right where they left off anyways.
Post your birthday, your pet’s name, the street you grew up on, your first school, your mother’s maiden name woven into a nostalgic anniversary post. Make it all public.
Notice that these are the exact same things that “security questions” ask you to confirm your identity. They’re also the raw material for a convincing impersonation. An attacker who knows your routines, your relationships, and your history can craft a message that feels personal and legitimate, which loops right back to Step 3. Every detail you broadcast is a detail someone else can use to become you or to fool the people who trust you.
The inversion: Be deliberate about what’s public. Lock down your social profiles, and treat security-question answers like passwords - they don’t have to be true, just memorable. Your first car can be “purple-rhinoceros-42” as far as the bank is concerned.
None of these five steps are exotic. That’s exactly why the inversion is useful: the things that guarantee disaster are mundane, and so are the fixes. You don’t need to become a cybersecurity expert. You need to not do five very ordinary things and do the opposite instead.
A unique password per account. MFA turned on. A pause before you click. Let the updates run. A little restraint about what you share. Get those right and you’ve sidestepped the overwhelming majority of how real people actually get hacked.
As Munger would say: it is remarkable how much long-term advantage people like us have gotten by trying to be consistently not stupid, instead of trying to be very intelligent.
New posts in your inbox when they're published. No spam, unsubscribe any time.