Cybercriminals use many methods to access accounts, including dictionary brute-force attacks (attacks made to guess passwords), as well as comparing various word combinations against a dictionary file. Cybercriminals may also use password capturing tools like "Keyloggers" on the victim's computer. eKalam suggests the below-mentioned points that each individual/ Entity should follow:
Do's
Always use different passwords for different accounts.
Ensure the password is strong. Strong passwords should contain a combination of upper case, lower case, numbers, and "Special" characters (e.g., @#$%^&*0 +|~-=1: ":<>/.etc.)
Immediately, change any password which might have been shared or revealed by mistake.
Passwords must be changed at regular intervals.
A password shouldn't contain
Birth dates, names, ID proofs, and other personal information such as addresses and phone numbers.
Commonly used words such as names of family members, pets, friends, colleagues, movies, novels, comic characters, etc.
Password recovery answers should not be guessable.
Password should not be less than eight characters.

Don’t
Do not use public systems to access banking/ sensitive sites.
Do not share the passwords, or OTP through e-mail, chat, or any other electronic communication.
Do not reveal passwords on questionnaires or security forms.
Do not choose/ select the "remember my password" option for banking/ sensitive sites.
Never write down your password anywhere, especially as a 'note stick' to the computer.
Don't use your biometrics (fingerprint, etc.) at untrusted terminals/ sites.