Hands typing on a laptop.

Most people know they’re supposed to create strong, unique passwords for all their accounts, but not everyone does it.

Even the least tech-savvy people have numerous online accounts, and setting good, unique passwords for all of them is a daunting task.

A survey done earlier this year by LastPass by LogMeIn, a password management company, showed that while 91 percent of people know that using the same password for multiple accounts is a bad idea, 59 percent do it anyway.

Meanwhile, the high-profile hacks and thefts of consumer information continue to pile up; serving as powerful reminders of the importance of good password hygiene.

In recent months, companies ranging from fitness fashion retailer Under Armour to genealogy and DNA testing website MyHeritage have fallen victim to hackers; putting the personal information of consumers at risk.

More on Data Security and Privacy

Most times, when companies are hacked, the first thing experts say to do is change your password for that account, and for any other one where you were using the same password. Yes, that’s a good first start, but it won’t help you much if you don’t change it to a good one.

And while remembering hard passwords can be, well, hard, experts say that’s kind of the point.

“The easier it is for you, the easier it is for the bad guys,” says Dan Nadir, vice president of digital risk for the cybersecurity firm Proofpoint.

Here’s how you can create hard-to-crack passwords and keep your online accounts safer.

Go Long and Complicated

While “Password123” may be easy to remember, it’s a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.

Ideally, a password should be composed of a long string (think at least a dozen characters) of seemingly random uppercase and lowercase letters, numbers, and symbols. One of the best and easiest things to do is to create a long password out of an easy-to-remember phrase, then throw in some special characters.

For example: “Th3Qu1ckBr0wnF0xJump$0verTh3LazyD0g”—though it would be better to use a phrase that you make up yourself.

Don’t include your name, birthday, or references to other personal details (yes, that means your kids’ personal details, too). Hackers routinely troll Facebook and Twitter for clues to passwords like these.

This same logic applies to smart-home devices such as routers, webcams, TVs, toys, and even some high-end refrigerators. Many come with default passwords that should be changed the moment you take the product out of the box. There’s no easier password to hack than one you can find in a manual or online.

Don't Recycle

Even a tech minimalist has countless passwords these days for everything from bank accounts to Pinterest. That’s a lot to remember, but don’t follow the temptation to use the same password for multiple accounts or to recycle an old favorite.

More than 1 billion passwords were stolen from Yahoo in a handful of breaches over the past several years. You wouldn’t want that same password to be tied to your credit and bank accounts as well. Hackers routinely test passwords stolen in megabreaches on financial accounts.

If the thought of remembering so many complicated passwords is intimidating, think about using a password manager, Nadir says. Some are free; others cost a few dollars per month.

Services like these generate, retrieve, and provide top-of-the-line passwords for each of your accounts, using superstrong encryption to protect them. They’ll also make sure the site you think belongs to your bank actually does, before you hand over your credentials. All you have to do is remember the one password you create for that service.

Fair warning: Password manager companies have been hacked in the past, but that doesn’t mean user passwords were acquired by the bad guys, as opposed to less sensitive account information. Overall, many cybersecurity experts say they’re the lesser of many evils.

Always Use Multifactor

Multifactor authentication—which asks users to enter a second form of identification, such as a code texted to a smartphone or a biometric identifier, such as a thumbprint—has become a must.

And the word is getting out. Consumer Reports found that 62 percent of Americans use multifactor authentication for online accounts in a nationally representative survey of 1,012 adults conducted in 2016.

Multifactor authentication, also called two-factor authentication, makes it a lot harder for hackers to access your account, even if they have the password. 

It’s standard practice in business, and services including Facebook, Google, and online banking sites offer it as an option, but you often have to turn it on. Yes, this will slow you down a bit, but frequently, it’s enough to make hackers look for another target.

And because most people aren’t going to set a good enough password, turning on multifactor is a must, Nadir says. “Ultimately, that’s going to be the thing that’s going to save you.”  

Embrace Change

Did you just toss your toothbrush? Maybe it’s time to change your passwords, too.

The longer a password hangs around, the more likely it has been stolen or deciphered by a hacker. And if a company announces that it has been hacked and credentials have been stolen, change your password right away, even if it appears your account wasn’t affected. It often takes time for those investigating a hack to determine exactly how bad the fallout is, and breaches are often worse than they first appear.

On a related note, it’s also wise to periodically clean out your digital closets, just like the physical ones in your home. Have an AOL email address you don’t use anymore? A Myspace account? Close them out so that you don’t have to worry about them getting hacked. 

Don't Be Too Social

Be careful what you share and who you share it with.

This lesson was driven home by the revelation that about 87 million Facebook users had their profile information and “likes” harvested—without permission—by researchers using a third-party quiz app. 

If you’re going to post personal details about yourself (or your family), make sure your accounts are locked down and change your privacy settings to restrict your posts to real-life “friends.” Consumer Reports shared tips for protecting your kids’ personal information in a previous article, but here’s the short version: The entire world doesn’t need to know where they go to school and when they celebrate their birthdays.

And keep in mind that even if you think you have your account locked down, nothing shared on social media is ever truly private. So think before you trade your privacy to play a Facebook game or take part in a what looks like a harmless quiz.