Well I make sure that everything I say here will stand up in a court of law.
Just for the record, my comment wasn't directed to you. ?
I realize my response wasn't that helpful, beyond pointing out that you shouldn't believe everything you read in this thread, since there's a lot of misleading/wrong statements.
In trying to be helpful, I'll share what I do.
For passwords:
1. Use a password manager.
2. Use 2FA on sites that matter (financial sites, e-mail).
3. Use e-mail for 2FA if you can.
4. Remember two passwords: one for your password manager and the other for your primary e-mail, the one that you use for 2FA and other notifications.
5. Do not include your e-mail password in your password manager.
6. Use unique passwords for all sites that matter. This should be trivial, since you have a password manager. An example where I don't care are video streaming services.
When I'm not at home:
1. Only connect to sites that I care about over the cell network or use a VPN to connect to my home network. Avoid connecting to important (financial) sites using public wifi.
2. I consider using a VPN provider useless for security. Save your money. The only benefit for a VPN is if you want to be in a different location to avoid region blocking sites. My opinion here differs if you use a VPN connecting to your own network, which is nice if you can set it up easily.
I install a minimum amount of software on my computer to avoid any malware, which I consider a bigger risk. I also don't use any web browser extensions, except for a password manager. Yep, no ad-blocker, even though I occasionally use a pi-hole which is a better approach to avoid ads (and other stuff).
Oh, I also make it a point to check my e-mail frequently. Usually it's multiple times daily, which is easy to do on a smartphone. If anything nefarious happens, I'll get an e-mail. As already mentioned, most sites - such as Vanguard - know what device you're connecting from. If an unknown device is used, they'll ask for additional validation. That works well in preventing unauthorized logins from other devices, even if someone has your password. For almost all transactions that matter, I'll get an e-mail.
The reality is if someone gets your password, odds are they won't be able to do much with your account if it's properly secured. And if you use unique passwords everywhere, the hassle of changing a single password isn't that great. It's much harder to deal with compromised credit card numbers.