Much guff is talked about passwords. This has been going on for a long time - more than 30 years in my own experience. So here's my thoughts.
1) Don't use the same password on multiple sites. Most of the password theft that I see, comes about because someone used the same password everywhere, and they signed up on a site that offered them something for free and needed you to choose a username and password. That username/password pair is then added to the list used for guessing passwords on other sites, because that's the whole purpose of the site.
2) Choose a password that isn't easily guessed, but easy to remember. That mostly means, don't use "password" or "letmein". After that, avoid any word that's in a dictionary or any names. What I do, is look around the room, pick three things, take one syllable from each, which gives me a password like boopaplon (boo, because I can see a box that used to contain a pair of boots, pap for paper and lon because I'm using a mug that's a souvenier of London). Not in any dictionary, but because it can be pronounced, easy to remember.
3) Eventually, you'll need so many passwords that you can't remember them all, You could use a password manager (but use one that doesn't store passwords on someone else's computer, duh, but some people don't realise that "the cloud" means "someone else's computer"). Or write them down (but don't keep them on a post-it note on your screen or under your keyboard.
And here's another idea I use. I have a magic number, that only I know. So then I get given a four digit credit card code that I'm expected to remember (along with several others). So I subtract my magic number from the four digit number, and write that down. So if you get my wallet, and my credit card, you also have the four digits I wrote down, but they won't work for you because you don't know my magic number.
4) Don't tell anyone your password. That includes people who phone you up and claim to be "Technical support". I was once working as a consultant in a company, and they gave me a login to their computer so I could do the work. I was beavering away, when the phone on my desk rang. I ignored it for a while, because it couldn't be for me, but eventually I answered it. The guy at the other end claimed to be from tech support, and needed to do stuff on the terminal I was working at. He got me to go round the back and read off the serial number, which I did, and asked me which software I was using, which I told him, and then he asked for my password. I told him "I don't give out passwords". "It's OK, I'm with tech support". I didn't explain to him that this was just his opinion, and how do I know he's telling the truth, but I did say "I don't give out passwords, even to tech support." "But I need it, so I can do the work on your account that needs doing!"
Persistent. "OK, I'll tell you what I'll do. You give me your password, and I'll give you mine." So he did! And then he said "And yours is?" So I said " I already explained this, I don't give out passwords, even to tech support." "But I gave you mine!"
"Yes," I said, "it looks like you have three problems. First, you have whatever problem is it you're trying to fix. Second, you've created in your user base an expectation that they should give out their password to anyone who asks for it." Short pause. "And the third problem?" "Gullible tech support staff."
5) If someone comes up to you in the street and offers you a bar of chocolate for your password, you should eagerly accept, then tell them that your password is "password". Apparently, the people who ran this test placed total trust in the honesty of respondents. Gullible research staff.
6) Mother's maiden name. Why do banks and other people ask for your mother's maiden name? So that they can verify that you are who you say you are, because surely no-one but you would know your mother's maiden name? And there's other similarly stupid things that you get asked. My approach is to make up a word, so in response to "mother's maiden name" I'll put "Prognosis" or some other random word. Likewise for name of primary school, name of first pet and so on. I record these answers so that I can give them back on request, but it means that they can't be guessed.
7) Two factor authentication. There's some confusion about this. The right way it should work, is that you have to get two things right; one might be a password, the other might be, the bank texts your mobile, gives a made-up code, and you have to type that in. Thus, it's checking that *both* you know the password, and *also* you have possession of the right mobile phone.
But if you're expected to *either* know your password or *alternatively* possess the right phone, then that's not doubling the security, it's halving it.