All of the following is common knowledge but people still tend to ignore password common sense, so its worth repeating:
When you change a password for any of your account, it should not be identical to any of the previous passwords.
Since passwords have a fixed length, a brute-force attack to crack a password will always be successful given enough processing power and time.
Creating a strong password and writing it on a piece of paper is as bad as choosing an easy-to-remember password and keeping it in your head.
That includes your family and friends. Instead, share security tips with your elderly relatives because they belong to one of the most vulnerable groups of the internet users.
Legitimate organisations or websites never ask for your username and password via email.
It is very attractive to create the same or very similar passwords for all banking sites, social network websites etc. Avoid the temptation and create unique passwords for each account.
Even if you only suspect that someone might have stolen your password, change it right away.