Information Security: Core Concepts Everyone Should Know

Last week a friend texted me asking if he should change his bank password after clicking a link from an SMS. The link looked real, the sender looked like his bank, and he had no way to know. He made the mistake practically anyone would make — including people who work in tech.

This post isn't a "10 security tips" listicle. It's the minimum set of concepts that, once understood, change how you think about digital threats — without needing to become a security analyst.

The CIA triad: what every security system protects

Every information security discussion starts with three properties. Not because it's elegant theory, but because any attack violates at least one of them.

Confidentiality means ensuring information reaches only those who have permission. A password stored in plaintext in a database violates confidentiality. An email sent to the wrong recipient does too.

Integrity means ensuring information isn't altered without authorization. A file you downloaded that was modified by malware in transit violates integrity. A transaction log someone edited to cover their tracks also qualifies.

Availability means ensuring systems and data are accessible when needed. A denial-of-service attack (DDoS) violates availability — the system exists, but can't respond.

Why does this matter in practice? Because it helps classify threats and prioritize defenses. When someone asks "is this system secure?", the right answer is: secure against what type of violation? An encrypted database guarantees confidentiality but can be destroyed, violating availability. A public backup guarantees availability but violates confidentiality.

Why weak passwords still exist (and what to do about it)

Most people know "123456" is a bad password. It still tops every significant data breach dump. The reason isn't ignorance — it's the cognitive cost of memorizing dozens of unique, complex passwords for services you use once a month.

What makes a password resistant to attack isn't having @ instead of a. Tools like hashcat apply these substitutions automatically — password becomes p@ssword, p@55w0rd, P@55w0rd! in milliseconds. What actually protects is length combined with randomness.

A 20-character random lowercase password is mathematically far harder to crack by brute force than P@$$w0rd!123, regardless of the symbols. Length multiplies the search space exponentially; adding character types, linearly.

The practical solution isn't to memorize better passwords. It's to stop memorizing passwords. A password manager — Bitwarden (open source, free), 1Password, KeePass — generates and stores unique 20+ character passwords for each service. You memorize one strong master password. The rest is generated and forgotten.

Three minimum rules:

• Different password for every service. Reuse is what turns a breach at one irrelevant site into an attack on your important accounts.
• Minimum 16 characters, random. Not a phrase with substitutions — genuinely random characters.
• Never recycle. If you use the same base with per-service variations, you don't actually have different passwords.

2FA: the insurance that protects when the password leaks

Two-factor authentication (2FA) is the idea that authentication requires two independent elements: something you know (password) and something you have (phone, hardware key) or something you are (biometrics).

The reason this matters: credentials leak. It could be a service you used once in 2019 and forgot, it could be phishing, it could be malware. With 2FA active, a compromised password isn't enough to get in — the attacker also needs the second factor.

Not all 2FA is equal. In increasing order of security:

SMS is the weakest. SIM swapping — convincing a carrier to transfer your number to the attacker's SIM card — is a documented attack used against high-value targets. For your bank account or primary email, SMS 2FA is better than nothing but insufficient if you're a real target.

TOTP (Time-based One-Time Password) is the 6-digit code that changes every 30 seconds. Apps like Google Authenticator, Authy, and Bitwarden Authenticator generate these codes from a secret key stored on your device. No carrier dependency, no SIM swapping. This is the minimum reasonable standard for important services.

Hardware keys (YubiKey, passkeys) are the highest standard. The key must be physically present and, in modern WebAuthn implementations, the destination site is cryptographically verified — phishing doesn't work because the key won't authenticate against a site that isn't the real one.

For most people, TOTP on email, social media, and financial accounts already eliminates the vast majority of practical attack vectors.

Phishing: the attack that doesn't need a technical exploit

Phishing is the technique of impersonating a trusted entity to obtain credentials, personal data, or access. It's the most common entry vector in successful attacks — not because it's sophisticated, but because it works regardless of how good the technical systems it bypasses are.

A server with all patches applied, perfect encryption, and strong passwords can be compromised if an employee clicks a link that looks like the company's VPN portal and types their credentials.

The most common patterns you'll encounter:

Urgency email: "Your account will be closed in 24 hours if you don't confirm your details." The urgency is intentional — it prevents you from thinking clearly before acting.

Sender spoofing: the email address looks like support@yourbank.com but the actual domain is yourbank.support-account.xyz. Look at the full domain, not the friendly name.

Shortened links or redirects: bit.ly/confirm-account pointing to yourbank-authentication.com. Hover over links before clicking — most email clients show the real URL in the footer.

Spear phishing: personalized messages using real information about you (name, role, company, recent projects). Collected from LinkedIn, social media, previous breaches. Far more convincing than generic email.

The most effective defense against phishing isn't getting good at spotting malicious links — it's having 2FA active, because even if you surrender the credentials, the attacker still needs the second factor. The second defense is direct verification: if the bank sent an urgent email, close the email and access the bank's website by typing the URL yourself.

Common threats most people underestimate

Credential stuffing: attackers take username/password lists from breaches (lists with billions of combinations are publicly available) and automatically test them against other services. If you reuse passwords, this is the most likely active threat against you right now. The attack requires no special technical knowledge — ready-made tools exist for it.

Man-in-the-middle on public networks: on unsecured or poorly configured Wi-Fi, an attacker on the same network can intercept traffic. HTTPS protects content, but browsing metadata can still be collected. A VPN solves this — or simply using mobile data on networks you don't trust.

Social engineering: the oldest attack and still highly effective. Calling support and convincing them you're someone else. Finding information on social media to answer security questions. Exploiting human kindness — "hi, I forgot my badge, can you open the door?". Perfect technical security doesn't protect against social engineering without training and process.

Remote access trojans (RAT): once installed — via email attachment, pirated software, malicious browser extension — the attacker has access to what you do on the computer. A keylogger captures typed passwords, screenshots capture the screen, remote access enables full control. Antivirus helps but isn't sufficient — the main defense is not running software from questionable sources.

Threat modeling is the question nobody asks

Security without context doesn't make sense. The right question isn't "how do I become more secure?" but "against whom and against what am I protecting myself?"

A journalist covering corruption has a completely different threat model than a software engineer who just wants to protect personal accounts. The former needs end-to-end encrypted communication, rigorous OpSec, possibly dedicated devices. The latter mainly needs a password manager + 2FA + basic email hygiene.

Security measures have a cost — time, friction, money. Doing everything at once is unsustainable. The threat model helps prioritize where effort has real returns.

For most people with access to online financial services, the most probable threats are: credential stuffing from a previous breach, generic email or SMS phishing, and unauthorized access from a lost or stolen device. The defenses for these three are: unique strong passwords (manager), TOTP 2FA, and biometric screen lock. That covers 90% of practical risk without requiring professional paranoia.

Frequently asked questions

Is it safe to use the same email address across multiple services?

The email itself isn't the problem — you'll need one for login everywhere. The risk is associating it with the same password. Use the same email on any number of services, but with completely different passwords on each. Also consider creating a separate email for less trusted services, to isolate spam and phishing.

Does antivirus still do anything useful?

It does, but the role has changed. Modern antivirus protects against known malware, but sophisticated attacks and zero-days typically bypass it. The most important protection today is behavioral: not running software from unknown sources, keeping the system and applications updated (most real-world exploits use vulnerabilities that already have patches available), and being skeptical of email attachments even from known contacts if the context is odd.

Is SMS 2FA enough for a bank account?

For most people, yes — it's still much better than password alone. The real risk of SIM swapping exists, but it's an attack that requires manual effort and is used primarily against high-value targets (influencers, people with significant crypto holdings, executives). If you have reason to believe you're a specific target, migrate to TOTP or a hardware key. Otherwise, SMS 2FA already eliminates the vast majority of automated attacks.

What should I do if I suspect I was phished?

Act immediately. Change the password of the affected service from a different device than the one used at the time of the suspected incident. If it's a financial account, call the bank. Enable 2FA if it wasn't already active. Check open sessions in the service's settings and close all you don't recognize. Monitor the accounts over the following days.

The basic hygiene that changes outcomes

None of these concepts are new. What separates people who have security problems from people who don't is usually a small set of habits: unique passwords with a manager, 2FA on important accounts, and healthy skepticism before clicking urgent links.

Your threat model says you don't need to protect everything the same way. But the basic layers — unique strong password + second factor — cost an afternoon to set up and eliminate most attack vectors that affect ordinary people.

To generate passwords with real cryptographic randomness without relying on human memory, the Password Generator handles it entirely in the browser — nothing sent to a server.

Note: the editorial content ends here. What follows is a recommendation for a tool related to the post's topic.

Related tool

For creating genuinely long and random passwords — not variations of a word you've already used — the Password Generator uses crypto.getRandomValues to guarantee cryptographic randomness. Useful when setting up new accounts or replacing weak passwords identified in a password manager audit.