User Passwords — especially those not supported by two-step verification — are your last lines of defense against prying eyes. This guide will help you understand how those passwords are exposed, and what you can do to keep them locked down.

How are passwords vulnerable to exposure?

Before we discuss the how-tos of creating secure passwords, it’s important to understand why you need a very secure password to begin with. It isn’t always a case of security because, “Who would want to hack my accounts?”

There are a few ways your account passwords can be compromised.

1. Someone’s out to get you. They might begin with an easy entry point and use password recovery options to access your other accounts.
2. You become the victim of a brute-force attack.These attacks work by systematically checking all possible passphrases until the correct one is found. If the hacker already has an idea of the guidelines used to create the password, this process becomes easier to execute.
3. There’s a data breach. Hacking strikes a large company, resulting in millions of people’s account information compromised.

What makes a good password?

Ideally, each of your passwords would be at least 16 characters, and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces. The password would be free of repetition, dictionary words, usernames, pronouns, IDs, and any other predefined number or letter sequences.

Creating secure passwords

In his guide to mastering the art of passwords, Dennis O’Reilly suggests creating a system that both allows you to create complex passwords and remember them.

For example, create a phrase like “I hope the Giants will win the World Series in 2016!” Then, take the initials of each word and all numbers and symbols to create your password. So, that phrase would result in this: IhtGwwtWSi2016!

If Available, enable two-step-verification

Any time a service like Online Banking, Facebook or Gmail offers “two-step verification,” use it. When enabled, signing in from an unrecognized device will require you to also enter in a code that’s sent as a text message to your phone. Meaning, a hacker who isn’t in possession of your phone won’t be able to sign in, even if they know your password.

Keeping track of secure passwords

If you follow one of the most important commandments of passwords, you know that you absolutely must have a unique password for every service you use. The logic is simple: if you recycle the same password (or a variation of it), and a hacker cracks one account, he or she will be able to access the rest of your accounts.

Obviously, you can’t be expected to memorize dozens of complicated, 16-character-long passwords.

Using a password manager

Password managers store all of your passwords for you and fill out your log-in forms so that you don’t have to do any memorizing. If you want supersecure passwords for your online accounts (which is recommended), but you don’t want to memorize them all (also recommended), this is the way to go.

There are many options available, but a few crowd favorites are LastPass, Dashlane and 1Password. All three password managers essentially work the same way. There is a desktop program (or mobile app), which you’ll use to manage your passwords. Then, there’s a browser extension that automatically logs you into accounts as you browse the Web.

It’s worth noting, however, that just like any software, password managers are vulnerable to security breaches. In 2011, LastPass experienced a security breach, but users with strong master passwords were not affected.