[scrollaway]

Use a password manager. One strong password per site.

https://www.keepassx.org/

Also, use 2FA wherever available. Google Authenticator is good enough.

Store your backup codes somewhere safe (your keepass db, for example. Although that goes a bit counter to the point of 2FA, if someone cracks your keepass db, you're pretty screwed regardless).

[chmars]

There is still a major annoyance with Google Authenticator etc.:

When you switch your device, you have to set up your 2FA credentials again …

[jjnoakes]

I store the original 2fa seed somewhere offline and safe (wallet, safe, etc) so that I can bootstrap a new auth device at will.

[marklyon]

Authy solves this problem and lets you share among devices.

[eddyg]

This is not a problem with 1Password, which syncs TOTP keys as part of your secure keychain, making it easy to use multiple devices, or even just your desktop.

[Yhippa]

This is why I now use SMS authentication.

[scrollaway]

Not only do you get the same issue with SMS authentication (have to set it up again when you get a new number), but on top of it SMS auth is not as readily available and has proprietary requirements (namely, you have to have a mobile number with text support, it has to be available at your current location, it may cost money, the auth service has to support whichever country code you're under, ...).

Also, as other people mentioned, it's technically possible to back up your initial seed.

SMS auth is a disgrace, when we have 2fa standards.

[chmars]

I do sometimes too … although it is less secure … and if you are abroad, it can be expensive due to roaming charges … or you are not online at all …