I'm always surprised at the amount of people around me, both non-tech-savvy and surprisingly tech-savvy folks too, who do not use a password manager. I falsely assumed, being in my own bubble, that was considered barebones these days.

So it gets my vote.

2FA is not far behind, but most of them use it and are often forced to by their apps and services, even if it's the insecure SMS kind.