I have a text file with websites, usernames and partial passwords.
By partial passwords I mean only write down hint letters, hints that only I know what group of letters or words they have to be replace with, so to form the password. That equivalence between pass hints and their corresponding chars is not noted down anywhere, I just know them by heart.
About two factor authentication, it's horrible, because it makes you dependent of a second device (what you do if your phone goes belly up?), and because it automatically disclose your identity (your phone number is also your global UUID).
I was once auto-enrolled by the bank into some shitty second authentication for online payments, and as a result I was unable to make payments with a debit card because of no phone battery. To make it even more ridiculous, the outside payments (i.e. Aliexpress) were accepted without SMS confirmation, only the EU payments were needing a second pass by phone SMS. I had to walk to the bank to be unsubscribe from such crap.
In my eyes, dual authentication is nothing but surveillance, extra data harvesting, and constant nagging if you log from another device.
Same with passwords complexity: the only times when I've lost an account it was because of a site database leak, not because of brute forcing my password that didn't had enough numbers and special chars.
Two factor authentication never ever blocked a hack attempt, in my experience. Never. It only blocked me from using my own accounts. Many times. The stupidest thing ever.