Kim Komando: The Worst Tech Advice Website Ever

I have never called out any writers or bloggers before writing content that’s slightly off-color or off-key. In general, I respect other writer’s autonomy and freedom to their perspective. However, Kim Komando has become a case I feel I have an ethical duty to my career field to call into question. It markets itself as a tech advice website for internet newbies. I’ve read several of their articles now, which pop up in my Google Newsfeed. Each subsequent item seems to be even more wrong than the last; each piece of advice is subsequently worst than the last bit of advice given.

Is the editor of this site fact-checking this advice? It appears that they are not. Thus, this mess is now in the hands of any IT support professional that stumbles across it in their news feeds. But it especially calls women in IT up to bat in a field where we get discouraged too often already: technical writing.

Web Content Creation Problems | Managed IT Support Answers

This relates to a bigger, significant problem on the internet. It’s not just a Kim Komando problem. Many websites will hire article spinners or “mad libs writers,” as I call them. These pseudo-writers will write articles that may check out well with their SEO and appear legit to search engines like Google but are entirely devoid of any useful information. They often contain piles of blatantly false information as well. Of course, people rely on search engines to show them the most factually correct content – especially when it comes to helping articles and how-to guides. Fake guru tech advice websites like Kim Komando cheapen content on the internet by diluting the content pool with trash word salads.

There are indeed some shady content writers out there who will con a client into purchasing one of these word salads as a legit unique & authoritative article. It must also be argued that some responsibility lies in the client’s hands to double-check that writer’s work to make sure it is grammatically correct, comprehensive, and factually accurate. If the client does not know how to do this, they should seek out managed IT support to act as their project manager and liaison.

A knowledgeable and experienced managed IT support consultant will ensure anyone who works on your project produces legitimate, unique work. The best-managed IT support comes from professionals who have worked in the fields they now manage. After all, how can you direct a boat if you don’t know how to steer it yourself?

Correcting Some Kim Komando “Facts”

“Facebook security warning: Thousands of passwords stolen”

In this article, Kim Komando makes these claims:

  • It’s a good idea to reset your password frequently.
  • If you set up 2FA/MFA in Facebook, it will automatically notify you if someone tries to hack your account.
  • Never using your Facebook login outside of Facebook will keep you safe.
  • If the URL is missing the term “” then it is probably a phishing site.
  • Never follow any emails that take you to a Facebook login page. These are phishing sites.

Wow. This tech advice article (like many of the articles I’ve read so far) reveals a writer who has a feeble grasp of how these technologies work. This leads to giving dangerous and misleading advice. Some of it is sure to get you phished simply because this article does not clearly explain the red flags of phishing attempts.

It’s a good idea to frequently reset your password.

IT support professionals recommended this back when the most prominent concern was that hackers would brute-force user passwords. Brute-forcing is a means of “guessing” someone’s password using a computer program to run through potential combinations of characters, trying each as a login to the target user’s account. The more secure your password was, the less likely it was that someone would be able to brute-force it before you changed it again. This sounds like legit advice. So why has it changed?

The technologies that hackers use have changed, for starters. And second, technology itself has changed so that a password is no longer likely to be a safeguard against a significant brute-force attempt. Modern computers have far surpassed the power needed to crack even the most complex passwords quickly. Hackers rarely attempt to brute force accounts anymore, either, since 2FA/MFA have become popular additions to password logins. But most importantly, changing your password frequently can give you a false sense of security, causing you to slack off in other areas that need your attention more. Additionally, it makes little sense to change a secure password to another password that could potentially be not anywhere near as safe.

Now that this has been said, it does not hurt to change your password every once in a while. However, it should not be a significant feature of anyone’s cybersecurity plan.

If you set up 2FA/MFA in Facebook, it will automatically notify you if someone tries to hack your account.

This is one of the most dangerous statements I saw in this article. If you are using a cellphone as your 2FA device, your number is easily spoofed – and you won’t be notified. Microsoft sounded an alarm about the dangers of using phone-based multi-factor authentication recently. Additionally, saving your MFA key, so you don’t have to use it again opens you up to spoofing your session. You also will not be warned about this. It’s usually a bad idea to rely on any notification to warn you about hacking attempts. If you do get warned by a message, it usually just means you got lucky.

Never using your Facebook login outside of Facebook will keep you safe.

So we should never use Single Sign-On (SSO)? You know, where you log in to one site and use that same token to log in to other sites? Google, Facebook, and Microsoft all have it. And then we will be safe from phishing, right?

As you may have guessed, no, that is not right at all.

I am hoping that this was just poorly worded. I think what they intended to say was that you shouldn’t use your Facebook credentials on any websites that are not coming from Facebook. This means Single Sign-On is safe because it involves a redirect to Facebook.

Of course, this factor alone will not keep you safe.

If the URL is missing the term “” then it is probably a phishing site.

Considering almost every phishing site I see nowadays uses some component of the spoofed site’s domain, this is extremely poor – and downright dangerous – advice. Here is a quick primer on the parts of a website address:


HTTP:// – Stands for HyperText Transfer Protocol. The secure, encrypted version of this is HTTPS://. You should NEVER enter confidential information (such as login or credit card) into a form that isn’t on a secured webpage.

SUBDOMAIN – This is a secondary domain name you can use in addition to the actual domain name. Phishers love to use subdomains to trick you into thinking you are visiting the legit website when you look at the address bar. This is why it’s essential to know the different parts of a website address. Even if a phisher tries to use the legit domain name in other parts of the website URL, they won’t be able to fool you. For emphasis: you will never find the legit website domain in the subdomain section of a website address.

DOMAIN – This is the real domain name of a website. Here you will find the domain name followed by a period and an abbreviation for the top-level domain it’s using, such as .com, .net, .gov, .edu, and so forth. Phishers will sometimes use visually similar domain names to trick you into thinking you are going to the correct website. Watch the letters in the domain name carefully, and also pay attention to the top-level domain all your legitimate websites use.

.COM – This is the top-level domain or TLD. It’s important to know which one your favorite websites use, so you will be able to tell the difference if a phisher registers a domain like

DIRECTORY – This is pretty self-explanatory. It’s the folder directory you want to go to on the domain’s server. Sometimes phishers will use this to spoof the real domain in the URL or even use this…

WEBPAGE.HTML – This is the actual webpage you want to visit within that directory on the domain’s server. Phishers like to take advantage of this part of the domain, as well.

Never follow any emails that take you to a Facebook login page. These are phishing sites.

This is another one of those instances where I hope that the writer just used an inadequate description of the concept they were thinking of. You will get emails from Facebook all the time. We all do. They will take you to Facebook and prompt you to log in (if you aren’t logged in already). These are not phishing sites.

We can apply much of what we learned about domains to email addresses as well. If an email comes from, then you can rest assured that the email actually came from However, watch out for email addresses that look like this:

See how they tried to squeeze in that email address? It’s in the wrong part of the email address, though. It should be at the end. See how the email address’ domain also tries to mimic, but throws out a random top-level domain instead of using .com?

The Real Website Security Warning

The real website security warning has very little to do with any of Facebook’s past fumbles with security. It instead relies on your knowledge and skills. If you take the time to know how the internet works, the internet will work for you. Think critically about the enrichment content you consume. If it is vague or doesn’t make sense, it is likely to be more SEO garbage.

I sincerely hope that many IT professionals will raise their voices about this website online. Hopefully, the website owner reconsiders the situation, leading to this website giving such terrible lessons, tips, and tricks. In the meantime, here is a list of beginner-friendly tech sites that all offer sound, factual information and advice.

Are you tired of marketers?

SOBD offers affordable managed IT support & managed services in web design, web hosting, and web content for SMBs. Reach out today to find how we can help take care of your creative needs!

access applications aws business businesses cloud cloud services communication computing content customer customers cyberattacks cybersecurity cybersecurity strategy cyber threats data digital digital transformation guide how to information integrity make Managed Support For The Creative Web management marketing network network security process security security suite service services small business social media software specific storage strategy time trust tutorial users work

Online by Design