There's been a seemingly endless stream of celebrity hacks making their way online. While it's widely believed many of these are all part of the original 2014 hack, and blame and fault rests entirely and completely on the criminals doing the hacking, it's a cold reminder that security in the digital world is just as urgent and imperative as security in the real world. We don't just need to close our data doors, we need to lock them. With deadbolts. And alarms.

Whether it's Apple's iCloud, Google Accounts, Microsoft, Dropbox, or any other service, you want to avoid using weak, repetitive, single-factor passwords and start using long, strong, unique passwords with multi-factor and a password manager.

It's a hassle but so is your home security system or personal protection detail. It's the fault of the criminals but we're the only ones who can protect ourselves.

Here's how.

Don't use weak passwords

Everyone should know by now to avoid passwords like "password", "123456", your birthdate (or anyone's birthday), nickname, pet's name, child's name (or anyone's name). But you also want to avoid any word or set of words in the dictionary and even common variations thereof, like d!ct!0n@ry.

Anything easy for you to remember is also easy for someone else to guess or "brute force".

Do use strong, pseudo-random passwords

1Password password generator

The best passwords are blobs of pseudo-random letters, numbers, and symbols. The longer the series, the stronger the password. Most of us don't have to worry about nation states or hackers with similar resources trying to get into our accounts but once you start using a password manager (see below), you might as well be as secure as possible.

Don't use the same password for more than one website

Let's say you set up your iCloud account with a strong password but use the same password to set up your account with home supply store. Then that home supply store gets hacked and, it turns out, they didn't bother to properly secure passwords. The hackers then start trying those passwords on other sites, including your iCloud account.

If your passwords are all different, one hack doesn't compromise all your accounts.

Do use a password manager to store and auto-fill unique passwords

It's impossible to remember even one long, strong password, let alone dozens of unique ones for every site log into. That's where a password manager like 1Password or Lastpass comes in. They'll generate the long, strong passwords for you, store them, and when you go to those sites, they'll automatically fill in the passwords for you.

They also support Touch ID and copy/paste, so they're easy to use.

Don't use security questions that are researchable

Security questions are bad for security and I wish companies would stop using them. If you're a public figure, Wikipedia can usually provide anyone with the answers to several common security questions. Even if you're not a public figure, Google can sometimes provide the same answers. And if people get those answers, they can reset your password and try to get into your account.

So, avoid using security questions if you can and, if you can't…

Do treat security questions like extra passwords

If a service you're using insists you provide it with security questions for password recovery or reset, don't use anything anyone else can research. Instead, treat security questions as extra password fields.

Generate long, strong blobs of pseudo-random characters and store them in your password manager. Then, if you ever need them, copy/paste them in.

Don't just use passwords

A password is a single factor. If that's all you use and someone somehow gets your password or security questions, they can get access to your account.

Add in a second factor, though, and the password only gets them half way.

Do use 2-factor authentication

iCloud 2-factor token

Most major online services, including iCloud, offer 2-factor authentication (2fa). Apple's version pops up a token code on your iPhone, iPad, or Mac, and you have to punch it in to get access. Other systems use apps like Google Authenticator, 1Password, or Authy to supply you with a token. (If the service only offers tokens over SMS, it's not as secure — contact them and ask them to provide proper 2-factor support.)

It's less convenient but it's far more secure. And if the 2-factor token pops up when you're not trying to log in, you know someone else is trying to get into your account.

Don't click on links in emails

Phishing is when a hacker sends out huge volumes of fake emails saying there's a problem with your account, a special deal you can get, or anything else designed to entice you to click on their link. Spear phishing is similar, but targeted just at you and is often more personal and even more enticing.

The link is to a fake account page where they hope you'll type in your real password so they can get it. Never click a link in any email asking you to enter your login information anywhere.

How to identify and report Phishing

Do go to account sites directly

If you get an email from Apple, Google, Microsoft, Dropbox, or anyone stating there's a problem with your account, open your browser and type in the website address yourself —,,, etc. — and then use your password manager to log in.

If there really is a problem there should be a notification for that problem on the account page along with any real steps you need to follow.

Any questions?

Having your personal data leak is a horrible violation and should never happen to anyone. If you're storing sensitive information or content online, though, do everything you can to protect it. If you're sending it to someone else, make sure they do everything they can to protect it as well.

Any questions or additional tips, drop them in the comments below!

Updated August 27, 2017: We've reviewed the guidelines below and they're still the best practices to avoid having your personal photos and data leaked out onto the internet.

Keep yourself secure on the web