Here’s a list of 9 steps that everyone can take to ensure a basic level of security and privacy online. Following these suggestions will reduce the risk of online accounts and data being compromised.
Password reuse is a serious problem, but it's not your fault. It's difficult to remember distinct passwords for every site you sign up to. Humans also have a hard time creating passwords that machines will struggle to crack. Password managers like 1Password or LastPass solve these problems.
Without 2FA, your password is your single form of authentication. If stolen or cracked, attackers have access to your account and can impersonate you. All important (i.e. email, banking and social media) accounts should be protected with a second form of authentication, like a physical Yubikey or authenticator app. If possible, avoid using SMS. Don't forget to store backup codes though!
Apple, Microsoft, Google, Facebook and other software makers all periodically release bug fixes and security updates. If updates fix security vulnerabilities, it is incredibly important to update your devices immediately as the update change logs often mention which publically known vulnerabilites where patched. Public knowledge of these vulnerabilties give attackers an advantage when targetting users with outdated software.
Websites served over the internet use either HTTP or HTTPS protocols. The latter ensures all web requests sent and received are encrypted. This prevents attackers from viewing or changing the contents of your page. Unfortuantely, many websites that offer HTTPS make it difficult to use (e.g. making the default HTTP). Extensions like HTTPS Everywhere ensure HTTPS is used where possible and also have a feature to prevent all HTTP requests (though this may prevent access to some websites).
Most online chat apps (e.g. Facebook Messenger) do not use E2EE by default. Message sent are stored with your service provider and even if they are encrypted, they have the key. Your service provider can read and edit your messages, and if they suffer a particularly nasty attack or receive a warrant, your messages could be leaked. Use Signal or WhatsApp to protect yourself against this.
If it's legal to do so, you should be using a secure VPN. Without one, your ISP (e.g. Comcast or BT) knows what websites you visit and if the websites are not served over HTTPS, they know of what you do on those websites. In the U.S., lawmakers have recently relaxed rules, allowing ISPs to sell your browsing history. Imagine your health insurer getting hold of your medical search history!
Advertisers and other third-party trackers are secretly tracking where you go and what pages you look at on the web. This helps them better sell products but could result in you paying more for a product than others. You can stop this by using a browser extension like Privacy Badger.
Search engines like Google or Bing store tons of personal information and search requests (by default). Search engines use this information to (very accurately) determine your interests and show ads that you are likely to click on. They also might be required to hand this information over to authorities. If you're not comfortable with this, consider changing your default search engine to one that doesn't track you - like DuckDuckGo or startpage!
The U.S. (and other countries) are forcing people to unlock their devices more frequently (and typically at the border where they do not need a warrant). Although, I suggest not crossing the border with devices containing sensitive information, this might not always be possible. Locking your device with a passcode instead of your fingerprint increases it's security, as you cannot be made to unlock it. Additionally, if your fingerprint is ever compromised (e.g. in a hack), you cannot change it like you can change your password.
Disclaimer: I do not guarantee these steps will protect you from attackers, especially sophisticated or determined ones.