The hacks started on her Facebook account. Eilish Boyd, a senior majoring in media and cinema studies, got a message from a girl she went to high school with whom she hadn’t spoken to in years. The girl told her she had been receiving strange, nonsensical messages from Boyd’s personal profile promoting Ray-Ban glasses.

“I never went on my Facebook,” Boyd said. “Then I went on my Facebook and there were all of these posts that I clearly was not posting.”

Then it happened to her Twitter account. Promotional tweets for Ray-Bans from an outside source started appearing on her personal account as if she was typing them up herself.

“My friends were like ‘why are you tweeting this sh*t?’ and then I saw in my follows that I had followed random accounts like bot accounts and porn star accounts and accounts that were not even people,” Boyd said.

Then it happened to her text messages on her iPhone.

“I opened my phone one morning and I had literally over 150 outgoing messages to a really long number,” Boyd said. “It didn’t look like it was a U.S. number. (The messages were) all in Chinese and they used all of these red emojis, and they used the Chinese flag emoji, too.”

The Internet gives us the ability to save information online so that we can access it anywhere. Many of these accounts, however, are only protected by passwords that the users produce. We use passwords to protect some of our most valuable and personal information, but poor password habits make us more susceptible to hacking or getting our information stolen.

Before being hacked, Boyd thought she was being diligent about keeping her accounts secure. She had a habit of going onto movie torrenting websites, but she tried to create complicated passwords. Boyd used various combinations of letters, numbers and characters in her passwords, and the websites she used would usually classify them as “strong.”

But internet privacy experts say that even complicated passwords are susceptible to hacks.

“If a guide suggests to, for example, use your birthdate as your password shifted over by a character on the keyboard, hackers are also likely to have come across this guide and use that as a way to figure out passwords,” said Matthew Verive.

Verive currently works as an informational security intern in the Risk Management, Governance and Compliance department at United Airlines, “which is fancy talk for trying to monitor and relegate vulnerabilities,” Verive said. “One major vulnerability is often weak passwords, so our department is big in promoting healthy password creation and use.”

Keeping track of several accounts and having to remember multiple passwords can be draining, so many people default to using the same password for several sites or opting for a word or phrase that’s easy to remember. According to data compiled by Splashdata, “123456” and “password” have been the two most commonly used passwords for the past four years.

Even those who are aware of the importance of password security have trouble when it comes to making their own accounts ironclad.

“To be honest, yes, I reuse passwords,” Verive said. “I don’t use the same password for all accounts, but there are several passwords or variations of the same password that I use across different sites. Generally, I reuse passwords out of pure laziness but use unique passwords for particularly sensitive things.”

“There is a phenomenon called ‘security fatigue’ that refers to the state of reluctance to change a password or maintain a good security practice,” said Filipo Sharevski, an assistant professor in the College of Computing and Digital Media who focuses on computer security, telecommunication and networking.

“We have to remember, on average, more than 20 different passwords, which is quite a lot, Sharevski said. “Put on top of that that we also have to change some of those once every 30 days. Not to get security fatigued but still secure, (people should change their passwords) probably 3-6 times a year.”

Companies are starting to look for alternatives to passwords on certain devices by using touch and face recognition. Apple added fingerprint recognition to their devices starting with the iPhone 5s, and now the iPhone X uses face recognition that they refer to as Face ID. Microsoft is using a similar face recognition system called Windows Hello on the Surface Pro 4. These techniques make those devices more secure, but “passwords are old as an identification technique and probably the hardest to get rid off,” Sharevski said.

He suggests setting up a two-factor verification process when logging into accounts. This is when you enter your password and the website you are logging into sends a follow-up code through text, call or email that the user must enter before being taken to their account.

Since her hack, Boyd uses this technique on her accounts. “If there’s an option to do a two-factor verification, I’ll always choose it just to be safe.” Boyd said. “I feel like that whole situation I had and that fear was sort of just a warning in a way that it possibly could get worse.”

She said she notices that when students in her classes have to give presentations,  several of her classmates use the two-factor verification process when they log into their email or Google Drive. “It makes me wonder if the same thing happened to them too, or if they’re doing it as a precaution,” Boyd said.