Here are some things everyone should be doing to improve their security.
Passwords
How they are stored
The way most reputed websites store your passwords is by salting and hashing them.
(I'm not currently salting passwords on this blog, but then again I'm not accepting registrations either)
To salt a password is to add a lot of extra randomized text at the end.
The next step is hashing, where the password+salt is essentially encrypted.
Hash functions are extremely chaotic and computationally intensive to reverse, and a minor change in the input leads to a completely different output (called a hash).
That way, similar passwords will not have similar hashes.
The salt and hash are then stored with your username.
When you attempt a login, it adds your salt to the password you entered, and then hashes it. If the result is the same as the stored hash, then it knows that the entered password is correct, all without storing the correct password.
This way, if the database gets leaked, and the hacker wants to gain access to your account in particular, it would still take them a few months to reverse your hash to get your password.
How to maintain this security
First, change your important passwords every time you change your toothbrush.
Second, don't use any arbitrary rules for your passwords.
Assuming all your previous passwords are known to the hackers, you do not want to give them any pattern that allows them to only test out a subset of all possible passwords.
Make your passwords as chaotic and difficult to predict as possible.
And remember, the most secure password manager is a piece of paper.
Phishing
Phishing is a collection of a variety of techniques where the goal is to get someone to enter their login credentials into a website that looks legitimate but is actually not.
The first thing to keep in mind is: never trust a link with an "@" symbol in it.
This is a remnant of the old internet, where username:password@domain.com was a shorthand to log into the domain.
These days you have links like https://legit.domain.com/@some.name.com to underhandedly send people to a different domain from what they're expecting.
The second thing is to always think twice before you enter your credentials somewhere, especially if there's reason to expect that your credentials are already stored in the browser.
For example, if you click on a link someone sent you in discord, and you need to enter your discord credentials again, you are most certainly being phished.
The third precaution to take is to always verify and type out domain names.
You don't want to enter your work account credentials at companyname.conn, but there's a greater danger.
Sometimes, the link will have letters from the cyrillic alphabet in it, which makes it impossible to visually tell whether it's the right domain or not. Typing the link out will ensure you're going to a website with all english letters in the domain name, at least.
Deepfakes
Always verify source.
Someone using deepfakes will always try to create a sense of emotionality or urgency.
Like using a voice changer to sound like a loved one and ask for money to be sent to a number you don't recognize because it's an emergency.
Think about setting up emergency passwords with your family to verify such cases.
Also a good thing to teach kids - only go somewhere with a stranger if they can verify said emergency password.
"There is no cloud, there is only someone else's computer"
Cloud offerings started out as a way for Amazon to rent out spare compute when their main business began bleeding traffic.
When it got profitable, Oracle and Google followed.
Make sure any sensitive documents you put on the cloud are end-to-end encrypted. Or at least password-protected.