Additionally, I recommend either writing your passwords down on a piece of secure physical media (not completely advisable I know, but unless you can remember each one or are terrible when it comes to keeping track of your things, you should be fine keeping them in an unsuspecting looking notebook - maybe one filled with pages of actual math homework or something as a cover), or putting them on a thumb drive and simply inserting that whenever you want to login, or using a password manager like
Bitwarden. It isn't 100% foolproof as they have servers that could be compromised just like any other similar service, but it's better than nothing to have your passwords stored and hashed so an attacker can't just take a peek at them. Unless they happen to get their hands on the database and use a rainbow table attack to retrieve the plaintext passwords, but that's just a risk you take with storing credentials and sensitive info in general on anyone else's machine.
Furthermore, I also recommend using randomly generated passwords that are 45 or more characters in length and generating new ones every time you change your account's passwords in order to minimize the risk of someone just guessing or using a brute force attack (basically more guessing, but with password spam as well until the password is guessed correctly). Do this for every single account you make if you can. A good tool for this also happens to come from Bitwarden, and is one I happen to use myself, although there's many others on the web as well:
Bitwarden Password Generator. As for the why behind the length, it basically makes
brute force attacks harder to do. As the longer the password the more time has to be spent calculating every possible combination of symbol, number, and character potentially used. Completely blind at that if it's random and changed regularly, and is also a mix of various symbols, numbers, characters and the like. Though there is still a major debate versus password complexity as you can see. Even so a mixed approach that incorporates both, as random password generation does, is still best practice currently.
If you believe your account has been compromised, sign out of all accounts if possible and change your passwords immediately. The less time they can spend fiddling with various settings to keep you out or request more personal info or see connected accounts/services (as is the case if someone gains access to your Google account and starts snooping for any third-party programs you have connected), the better. Also yes, do turn on 2FA. Multiple forms ideally, albeit ones that don't rely too heavily on SMS messages and the like since
SIM swap attacks happen to be a thing. Authy is one I happen to use. Consider securing these 2FA applications with either a password, PIN, biometrics, or some combination of the three as well. Same with your phone itself, etc.
Finally, clear your browser cookies. This will log you out if you're still logged in, but better a minor inconvenience every time you accidentally close your browser (if you've set history and browsing data to clear on exit) than someone
potentially hijacking them and getting your info, or even access to your current session. And remember not to download and/or run random shit from the internet that you can't verify the credibility and security of.
Especially if it's some form of executable. Oh, and yeah, don't give your info away.