There are two big reasons why people get hacked. Flaws in software and flaws in human behavior. While theres not much you can do about coding vulnerabilities, you can change your own behavior and bad habits.

This story originally appeared on WIRED UK.

Just ask former US president Donald Trump, whose Twitter password was maga2020! Or Boris Johnson, who revealed details of sensitive Zoom calls at the start of the pandemic in 2020. (These world leaders will have had specific security training from protection agencies too.)

The risks are just as real for the average personeven if the stakes arent quite so high. If your accounts arent properly protected, your credit card could be compromised or your private messages and photographs stolen and shared for all to see. Working out if your accounts have been hacked is a time-consuming and potentially frustrating process. Youre better off taking some steps to mitigate the risks of getting hacked in the first place. Heres what you can do to protect yourself.

Arguably the most effective thing you can do to protect your online accounts is turning on multi-factor, or two-factor, authentication for as many of your accounts as possible. The method uses a secondary piece of informationoften a code generated by an app or sent via SMSalongside a password.

This secondary piece of information helps to prove it really is you trying to log in, as the codes are often accessed on the phone in your pocket. Even if you do have a password thats easy to guess (well get to that shortly), an attacker is unlikely to get access to an account with multi-factor authentication turned on unless they have your phone.

Theres a guide to all the accounts that support the method here, but in the first instance you should turn it on for all the accounts that hold personal information that could be abused. Like messaging apps such as WhatsApp, social media including Facebook, Instagram, and Twitter, and your email accounts.

Not all forms of multi-factor authentication are equal though. Code-generating apps are considered more secure than getting codes via SMS, and beyond that, physical security keys provide an even more robust layer of protection.

Lets talk about passwords. Its 2021. You shouldnt be using password or 12345 for any of your passwordseven if its a throwaway account.

All the passwords you use for your online accounts should be strong and unique. What this really means is they should be long, include a mixture of different character types, and not be used across multiple websites. Your Twitter password shouldnt be the same as your online banking one; your home Wi-Fi network shouldnt use the same credentials as your Amazon account.

The best way to do this is by using a password manager. Password managers create strong passwords for you and store them securely. If the fact that they can stop you getting hacked isnt enough to make you consider using one, a password manager also means you never have to struggle to remember a forgotten password again.

From our testing of the best password managers our there, we recommend trying out LastPass or KeePass.

Quickly clicking can be your worst enemy. When a new email or text message arrives, and it includes something that can be tapped or clicked, our instincts often lead us to do it straight away. Dont.

Hackers have used the pandemic as cover to launch wave after wave of phishing attacks and dumb Google Drive scams.

Anyone can fall for these types of scams. The main thing to do is to think before you click. Scam messages try to trick people into behaving in a way they wouldnt normallywith, say, pretend instant demands from a boss or messages that say an urgent response is required.