1. Password manager such as Bitwarden, generate long strong passwords for everything. 1a. SSO (By which I mean "log in with Google/Microsoft/Apple/Whatever") nothing.
2. Hardware keys, MFA on anything that doesn't support one.
3. Degoogle, de-megacorp.

VPN shouldn't even be in the top 10. The benefits are dubious at best and the jury is still out on whether it makes you more of a target.