Use the "passwords" feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They'll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
As someone who consults in the IT Security space, It's bad out there. Contractors and BYOD companies are downright sheepish in asking their outsourced employees to do anything security-related to their devices. The biggest attack vector is allowed unfettered remote access (and therefore the whole company and any bad actors are also granted unfettered remote access)
I still can't get over how quickly companies-at-large have abandoned VPN Servers (removing network trust from the list of options as well)
I'm down to managed browsers via IdP, and I just can't wait for the objections to that as well. People out here offering their faces to leopards. Certificate-based MFA on all the things IMO - passwords shouldnt matter (but six digit MFA codes aren't immune to fake landing pages and siphoned MFA tokens that don't expire)
I use utterly unique and very long passphrases for the most important stuff (banking, mortgage servicing, email, etc.), 2FA for those and most other things, and just throwaway crap passwords for things I don't care about (web forums and most everything else).