Enable two-factor authentication (2FA) on every account that offers it. A strong password plus 2FA means even a data breach cannot give an attacker access without your second device.
Change your passwords regularly — especially after any reported breach involving a service you use.
A note on breaches: Even the strongest password cannot protect you if the company stores it poorly and gets breached. That is their failure, not yours. Unique passwords per account limit the damage.
Write it down on paper. Store it in a safe, locked drawer, or secure physical location. A paper copy cannot be hacked remotely. This is not old-fashioned — it is the most secure backup method that exists.
Enable two-factor authentication everywhere. 2FA means an attacker needs both your password and your physical device. Even a breached password cannot access your account without the second factor.
Never reuse passwords. One breach exposes every account sharing that password. Unique passwords per account limit the damage to one service.
Change passwords regularly. Especially after any reported breach at a service you use. Assume that if a service was breached your password may have been exposed regardless of how it was stored.
Length beats complexity. A 20-character lowercase password is stronger than an 8-character password with symbols. Every additional character multiplies the search space exponentially.
A breach at the company is not your failure. No password protects you if the company stores it insecurely and gets breached. Unique passwords and 2FA limit the damage. The rest is outside your control.
Runic and Unicode passwords must be copy-pasted. Verify the password works on the target site before logging out. Some older systems do not accept Unicode. Always have your physical backup first.