Some of these have been mentioned already:
* A complex password. Not a dictionary word. I use a password generator that minimally does 16 character (and guarantees upper/lower/special characters). It has options for longer/shorter/etc because some sites have ridiculous, bad password requirements.
* since it is a random bunch of characters, you'll have to use a password manager, as mentioned
* Don't re-use that password anywhere
* Don't re-use your userid (if there is one).
* Don't re-use your email address either. If you get an email from Vanguard, it better damn well go to the email address you expect it to. If you get an email address from spammyguy and it comes to the Vanguard email address you've never used anywhere else... this is a flag that something dastardly is going on.
* Because you're using multiple email addresses, these will also have to be folded into your password manager. For my many multiple email addresses, I use a combination of dedicatedmail@mydomain.com and sneakemail. Sneakemail is a paid service that will generate unique email addresses and tag them. They will then forward to one or more back end accounts with the reply-to rewritten. If you reply, it goes back through sneakemail and rewrites it to the original sender. Highly recommended.
* for account reset questions: ALWAYS LIE. These are usually stupid questions that are public knowledge. Use a different one for every account. "What's your mother's maiden name? Blackwoodpecker" Add these to your password manager.
* I actually use an entirely separate browser instance for financial institutions. For normal browsing, I try to use plugins to limit scripting and ads (both of these are slowly becoming impossible to limit these days). For financial institutions, I pretty much allow everything. Minimally this keeps cookies separate. If nothing else, it makes you think: I'm using the financial browser... think before you click. It also keeps things like tabnapping from happening.
* I don't actually believe in changing passwords often. I think this is a bad practice that tends to make people make bad passwords. Instead of a password like "1fF1F4dnP1I1oHv4" ... you end up with "MyPassword01" that changes to "MyPassword02" ... etc.
* Two factor auth is awesome. I'd take it further and make sure you keep it 2 factor. In other words, if you're browsing on your phone and the 2nd factor is SMS... it's really not a second factor. You already are holding both factors on the same device. (I worked for a company with a complicated login process, but every single factor was controlled by your Windows credentials. If you had those, you owned every 2nd factor in the system: email, desk phone options, etc.)
* As much as automated stuff is cool... I'd say do not use it for financial data. I am not a fan of web sites (Mint, etc) that log into your financial institutions and download data. The primary mantra of computer security is "least required privilege". The least required privilege for those sites is "none".
* Keep your computer up to date. "Do you want to update/upgrade?" is a question you cannot refuse. Don't run on out of date platforms. If Windows XP is not supported, upgrade or buy a new computer. (The same goes for smart phones. When Google/Apple/Moto/etc stop supporting your model, you pretty much have to upgrade.)
* Stay away from shady web sites. Even on-the-level web sites tend to sell ads that can run javascript on your machine. Bad actors have become pretty smart. I try very hard to limit javascript... but that really is becoming difficult. If you're going to play around on those sites... use separate machines (or VMs) for those sites vs financial sites.
* It's not a bad idea to learn Linux. It can be more secure, IMO. (But: it's totally possible to make a insecure mess with Linux just like it is with any OS.) If nothing else, you are a smaller target. Large scale hacks tend to go towards the mainstream. The IoT is slowly changing this, as a lot of IoT is embedded Linux. It is becoming a larger target over time.
edit to add:
* Never use a user id on your computer that has administrative privileges. Use a "normal" userid for daily use. When you need admin privs, it should require a (strong) password to escalate your privs.