There are guidelines for stronger passwords, like unique passwords for each online service, making them mixed characters and number and symbols. Assuming on an average 40 or so online accounts per person, it’s close to nil chance anyone can remember those long and difficult to remember passwords. It’s probably difficult to remember just three different passwords if we were to follow ‘strong password’ guideline. Browser based plugins that ‘remembers’ on our behalf isn’t exactly a secure one.
One way to strengthen account security is via two-step verification, which generates different numbers every few seconds. The only and big hurdle in adoption is that looking through 20 or so accounts’ verification code every time isn’t very appealing to most. However, given that shorter passwords can be attacked by brute-force method and cracked in reasonable time, two-step verification is probably still the best.
While many services offer secure (https) online service, many don’t and there are generally concerns which ones implement security properly and some services aren’t https-default. Internet ‘bad actors’ stealing data on transit (or by other means) is an exponentially costly problem.
While good security practice from service providers and users are often time-consuming, bad security seems to cost both time and money.