If my account gets hacked here it's not the end of the world, but if the hackers trawl the internet with my email address and password and find that I used the same password for my email account, online banking,, credit card then THAT can cause serious problems.
True. There's lots of hacks stealing and publishing user account data, latest big one was something like 500 million accounts from facebook. They normally include the password, at best in a salted, hashed version. But often - if any - those hashes are something like unsalted MD5 which is not too hard to roll back to plain text these days. The follow-up attacks are fully automated, so a hacker downloads or buys a package of user accounts to feed them into a couple of scripts which then crawl the internet trying to get access to various services. That's the reason for having different user credentials on all services you're using. So I can only second this one:
Password managers are our friends. They generate random passwords for every site, and then they remember them and fill them out for you.
Yeah, it's a bit inconvenient if you have to log in from another device or browser but it's your data, your money, your computer, keep that in mind.
Another vector is weak passwords. It doesn't matter if you sprinkle in some numbers or special characters, they are kept in dictionaries, downloadable or purchasable, containing millions of average passwords. So "P4s$w0rd", "123456#", "qwerty123", "_4dm1n15tr4t0r_", "MyPassw0rd", "$3CUR3" and friends are considered non-existent password-wise. With a dictionary of passwords and a user name it's often a matter of seconds to get access to whatever site.
The best thing to do is using random strings. This can be done with most programs these days as pointed out by Naigewron already. If you're using Linux, there's a command line tool called pwgen which can be used like
Bash:
~$ pwgen 16
iephumooLushiez4 ieNg0Quu3aongaeV RooDiechi0jiZ0Oh Ahth0loDe5aeYeri
ov6ahph2WaiVoon6 chaiwab8Roy3ta6W foowaiquee0map9D gaJiZioPhieChec6
ietooX1Chi6pha8e Aequ5shu9tah4Vid oop6Ohta1neishai iefu1yuChi5saimu
Yiuxiedaeyah8Lea jier2Eew1Pha6fee Ojou1OoWae4la9qu sooT0Eepoo2ahj1i
isieghu1Shoh9ohg itheojo4iZaisiHa Ur3jo1eequaito5A KaiPo0nee9Thi7so
iurahmeegh1gohJe Oshie6LaiZe8beif Et5quithie6oilua ooGoh9IeS5yi4pee
leu3aQu7rohsoo5u ahzaeDu1Baig5Huv faew5epaCishog8n tah5aiyahWoo1ait
It can be used in MacOS as well, install via homebrew:
The probably most secure passwords is something long you are able remember, maybe something like:
"MyMotherWasBorn1942AndNeverHeardOfInstagram"
But that user credentials thing is just one of the attack vectors these days...
EDIT: One thing to keep in mind is that it's not about you personally. No one would try to spoof you just out of nothing if you're no high priority target for whatever reason. You're just a single entry in a huuuge CSV file, getting attacked on an automated basis. No humans and no feelings involved here.
