For what a civilian target would worry about, using sufficiently long passwords is your best defense. Complexity is barely important.
111111111111111111111111111.1111 is an excellent password.
Everyone should Ctrl+f their password here. But also wait the 10 minutes it'll take to load the whole thing.
If your pw is on this list, change it immediately.
If it's less than 8 chars? Change immediately. If it's less than 10 chars? Change... Now.
If it's less than 14 chars, consider just making your password longer.
This advice will save more people in its simplicity than saying more.
Want a smidge more?
If you're paranoid, take a password that you think is decent, then insert it here, then use the output as your password.
Most times, pws aren't stored in plain text, they're stored using that algorithm. So, if your password is 'password', hackers night easily be able to see that your passwords encrypted value is exactly what that link will output if you put in 'password'. If your password is on that huge list from the beginning of the post, they can easily decrypt the encrypted password, because these passwords's hashes are known.
So, use the hash itself as a password.
Hell, throw a comma at the beginning to throw it off.