Editors’ note: This guide was originally published in 2017. But after Marriott disclosed on Friday that the personal information of as many as half a billion people may have been compromised by hackers, the suggestions below were updated, and are as important as ever.

How do I know if my personal information has been taken?

Marriott said Friday that it would begin alerting the 500 million customers it believed were affected by a breach of its Starwood hotels database. In the meantime, if you stayed at a Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Elements or Luxury Collection hotel in the last four years, you may want to assume that you were.

Should I change my passwords?

Regardless of the type of breach or the company involved, it’s always a safe bet to change passwords for sites that contain sensitive information like financial, health or credit card data. Do not use the same password across multiple sites, and do not use your Social Security number as a username or a password.

And if you were not doing so already, you will have to treat everything you receive online with an abundance of suspicion, in case hackers are trying to trick you out of even more information.

How do I create stronger passwords?

Try a password manager like 1Password or LastPass.

These sites create a unique password for each website you visit and store them in a database protected by a master password that you create. Password managers reduce the risk of reused passwords or those that are easy to decode.

Wirecutter, a New York Times company, provides a helpful explanation of why password managers are so essential. They also maintain an updated guide to what it considers to be the best password managers.

If you must create your own passwords, try creating long, complex passwords consisting of nonsensical phrases or one-sentence summaries of strange life events and add numbers and special characters.

My favorite number is Green4782#

The cat ate the CoTTon candy 224%

Or, if you’re extra paranoid, consider mimicking this setup. Take the sentence:

“My name is Inigo Montoya. You killed my father. Prepare to die!”

And convert it into this:

“Mni!m.YkMf.PtD!”

“My name is Inigo Montoya. You killed my father. Prepare to die!” → “Mni!m.YkMf.PtD!”

In general, create the strongest passwords for the sites that contain the most sensitive information and do not reuse them anywhere.

Are passwords enough?

Passwords are not enough. If a site offers additional security features, like secondary or two-factor authentication, enable them. Then, when you enter your password, you will receive a message (usually a text or a code through an authenticator app) with a one-time code that you must enter before you can log in. Many bank sites and major sites like Google, Facebook and Apple offer two-factor authentication. In some cases, the second authentication is required only if you are logging in from a new computer.

Don’t click

Attacks are often spread through malicious email attachments and links — a practice known as phishing. So make a rule of not clicking on anything when you do not know where it will take you, even if it appears to come from someone you know.

If you get an email containing links or attachments, even if it appears to be from a familiar friend or colleague, do yourself a favor: Check the From Email Address. Often, attackers will tweak email addresses to be recognizable to their target. Only under closer examination does their target see that the domain is misspelled or the attacker has replaced an "i" with a 1. Other times, the email will contain obvious misspellings or strange syntax that was obviously created by a foreigner using Google translate or another translation service. If anything seems off, do not click.

Update often

To help mitigate what malicious attachments can do to your machine, make sure to update your software regularly, particularly your operating system. Frequently, software companies will release updates that patch bugs and software vulnerabilities when they are discovered.

Won’t security questions protect my data?

Sites will often use common security questions to recover a user’s account if the password is forgotten.

These questions are problematic because the internet has made public record searches simple and the answers are usually easy to guess.

In a study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

If you're required to answer security questions, lie and jot down your fake answers in pen or paper. (Q. "Where were you born?" A. Kentucky Fried Chicken. Q. "What was your first pet’s name?" A. Peach.)

Don't use email for that

Remember the old adage: Don’t put anything in an email that you would not want to see on the front page of The New York Times. The same applies to your sensitive information. Never ever send sensitive data like passwords, Social Security numbers or PINs in an email. If you must share this information, do it over the phone or, worst-case scenario, through an encrypted messaging app like Signal, which allows you to scramble messages and time them to disappear.

Be vigilant with your credit card

Never allow a retailer or merchant to store your credit card information unnecessarily. If it is offered, use PayPal or Apple Pay for online transactions. Both are safer than most online payment methods.

Back up your data

Ransomware -- malicious software that hackers have used to scramble your data until you pay a ransom -- is a common scourge these days. Stay one step ahead of cybercriminals by regularly backing up your data. Wirecutter has a great guide on cloud back ups and hardware backups here.

Don't give up your email address willy-nilly

The perks of turning over your personal data can be tempting, but, generally speaking, it's a terrible idea to hand over your personal data — even something as seemingly innocuous as your birthday or email address — to a store clerk or a strange login page on the internet simply because someone asked for it. Breach after breach proves as much. If a website requires an email address, consider creating a disposable email address with a service like 10minutemail or Nada.

Lengthen your phone password

Your phone is incredibly valuable to criminals and spies. Treat it accordingly. Don’t bother with a four-digit passcode, which is easy to guess. Six-digit passcodes are harder to guess. Eight-digit-passcodes are better.

Bonus: Cover your webcam with tape