The more you buy and bank online, the more your personal information—birthday, social security number, banking account details—is stored online. But how can you protect that data, especially given 2017’s high-profile data security breaches at Equifax, Verizon, Uber, Yahoo, and other companies?

Here are four steps you can take to help safeguard your personal information from hackers.

1. Never, never, never reuse passwords.

Logging into multiple sites with the same user ID and password is convenient for you. It’s also convenient for hackers. If they steal that user ID and password, they’ve got access to your information across multiple sites.

Unique, strong passwords for each site you use is critical. But coming up with different passwords for every site (and remembering them all) is painful. Password managers Dashlane, 1Password, and LastPass handle the job for you. Each will create complex passwords for each website you use and then stores the login credentials for you. The next time you visit a site, the password manager will automatically log you in. Password managers work on mobile devices, too. You’ll need to create a master password to log into your password manager.

Dashlane, 1Password, and LastPass offer some level of free service. But most features require a premium plan, about $2 to $3 per month.

Be aware: Password managers and their browser extensions aren’t 100 percent bulletproof. Also, web browsers such as Google Chrome and Apple Safari will create and store passwords for you for free and log you into your sites. They’re not bulletproof either (nothing on the internet is). But either option—password manager or your browser’s password feature—is far better than reusing the same ID and password repeatedly.

2. Turn on two-factor authentication.

Gmail, Yahoo, Outlook, and other online services offer two-factor authentication (also known as two-step verification). Two-factor authentication adds an extra level of security beyond passwords. Along with your unique, strong password, sites that support two-factor authentication will also text you a one-time code. You must enter the code to complete the login process.

While this sounds like a hassle, it’s usually not. In most cases, two-factor authentication kicks in only when you’re logging in from a computer or browser that you’ve not used before to log into a given site. In some cases, two-factor authentication is triggered once a month. But some financial institutions, like Wells Fargo, require an access code every time you log in—if you opt into two-factor authentication. (You’re not required to use two-factor authentication, and the bank does give you options.)

To find out if a site offers two-factor authentication, do a Google search with the site’s name followed by two-factor authentication. Like this: Gmail 2 factor authentication.

3. Add a strong passcode to your smartphone.

Increasingly, we’re storing more personal information on our smartphones. The problem is, what happens to that information if you lose your phone (or it’s stolen)?

It’s essential to use a numeric or alphanumeric (numbers and characters) passcode lock on your phone. A four-digit passcode is fine, but a six-digit code is stronger. The more digits, the harder it is for a thief to crack the code. You can create even longer passcodes on iPhones and Android smartphones.

4. Learn how to identify phishing emails.

Phishing emails, on the surface, often look like legitimate emails from a bank or other organization. In reality, the email is designed to trick you into clicking a link embedded in the email. Once you click the link, you may be taken to a bogus website and asked to enter your login credentials. If you do, you’re likely giving your login credentials to a criminal.

So how do you spot a phishing email? By reading the email carefully, you might notice a misspelled word or other grammatical error—a tip-off that it’s not legitimate.

To be safe, avoid clicking links embedded in emails whenever possible. If you spot a phishing message in your inbox, mark it as spam or, if you have the option, as a phishing email.