I don’t have all the answers. But I do know a few things.<p>Eight character passwords are not okay. Any password that a human can generate on their own, and can remember on their own, is simple enough that it can probably be easily guessed by attackers. Use a good password manager and keep the passwords randomly generated, and as long as the remote system will allow. Protect the password to the password manager with good 2FA, like a hardware token.<p>As for 2FA, do not use SMS. IMO, that makes things weaker than not having 2FA at all. Use a hardware token instead. Yubikey makes some nice ones, but they’re not the only solution on the market. Do your homework.<p>Individual passwords for sites should also be protected by 2FA with a hardware token, where that is available. Of course, you’ll need to have a backup hardware token, and a solution for use in emergencies when the hardware tokens are not available at all. Work this out in advance, before you need it.<p>And practice your backups. Like it or not, when the time comes, you will operate as you have practiced, and if you haven’t practiced, then you won’t operate very well.