FWIW, I use a password manager, Password Safe (pwsafe.exe). Essentially, every password is unique and extremely nasty looking. And long.
This rather gets rid of the "hack one database, snag other accounts" problem.
Password Safe was originally put together by Bruce Shinier (sp?) of security/cryptography fame.
The one thing I will not do is use any password store system that gets stored in the cloud. There was a notable hack of Last Pass; hackers exfiltrated the encrypted data files and, after some work by the hackers and a ton of stolen BitCoin wallets, it turned out that that data wasn't as encrypted as all that. While there are apologists for the industry who have noted that Last Pass's pointy-haired bosses allowed less-secure default encryption methods, it probably just means that other for-profit companies playing in this space haven't had the data files undergo sustained attack as of yet.
Two-factor authentication is cool with Tesla. They even have one print out a bunch of recovery codes in case one's cell phone (or whatever) is lost. However, there was a recent hack of a company which had used Google Authenticator. The initial hack was via spear-fishing and got into an individual's computer. But, even after that computer was placed off-line, the fact that Google had backed up the MFA into Google's Cloud meant that the attacker, who had the hacked computer's Google password, was able to restore the MFA to the hacker's computer and had continued on his/her merry way. The attacked company reported on this and suggested that the default, "back it up to Google!" option was a Bad Idea. Microsoft authenticator may not have this security bug, I'm not sure.
