When Russian hackers accessed 1.2 billion username/password combinations earlier this week spread across thousands of websites, you might have wondered how much risk you’re at personally. And if you’re like most people, you added the hassle of changing all of your passwords to the ‘Someday’ section of your to-do list. But after such a large security breach, the Federal Trade Commission (FTC) suggests biting the bullet and doing a round of security maintenance.

Federal Trade Commission FTC

FTC: Change passwords regularly, don’t repeat them for important accounts

“Change the passwords you use for sensitive sites like your bank and email account — really any site that has important financial or health information. Make sure each password is different so someone who knows one of your passwords won’t suddenly have access to all your important accounts,” writes Maneesha Mithal, director of the FTC’s Division of Privacy and Identity Protection in a blog post.

Using different passwords is important because once a hacker has a database of known username/password combinations they will use it as a sort-of dictionary attack at other websites just in case some people have reused them. You should also get in the habit of changing important passwords from time to time even if there hasn’t been an attack in the news (pain though it is).

FTC: Using two-factor authentication for important accounts

Mithal offers the usual advice that passwords should be long and as random as possible, and that they should be stored somewhere out of sight or simply not written down. But the whole problem is that the qualities that make a password strong also make them hard to remember, and people need more and more of them all the time. Password managers are convenient solutions, but it puts all of your risk in one place.

Mithal also recommends using two-factor authentication whenever it’s available, but there continues to be a lot of confusion about what that really entails. If you have to both enter a password and then answer a challenge question at a website that isn’t two-factor authentication, it’s just a single factor used twice (knowledge).

Real multi-factor authentication uses some combination of knowledge (passwords, pin numbers), possession (USB tokens, smart cards), and biometrics. A Russian hacker might steal all kinds of personal information about you, and a mugger might get your security fob, but the odds of someone getting both are exceedingly small so that your most important accounts are still secure.