“use a strong password” whats that gonna do if the database gets pwned, sandra? or if you get pwned by a 0click 0day

Is that the metric you’re using for what to do? If it can’t stand up to a 0click 0day you don’t do it? Might as well not set up an account or use any services then.

Like most things, it’s defense in depth. Use a strong password to make it harder to crack. Don’t use the same password on more than one site so if they do crack it your blast radius is still small (this also applies to the database getting popped.)

Use MFA so even if they do get your credentials there’s another barrier. Use an app based one like Aegis and avoid SMS and email if you can (though these can be better than nothing.)

Your goal should be to not be the low hanging fruit, not necessarily to be impenetrable especially when you don’t control every piece of the tech stack. A strong password is just one part of that process.