a way to help against this is to to get 2 factor authentication of totp authentication as well as a physical hardware key such as yubikey by yubico which during login it requires user/pw then the physical yubikey to login no matter if they knew the credentials.
what i do is several high level security features:
- a pw that is 100 characters long (i wouldnt recomend unless you know how to remember it)
- change my pw every 3 months
- yubkey hardware authentication
- totp authentication
- encrypted export in an encrypted file for local use only in case needs to be restored.
if you decided to buy yubikey i recommend you buy 2 of them and carry one everywhere with you like a car key and the other you store in a secure place.