Common mistakes and misconceptions
Replacing letters with digits and symbols. This technique is well known to hackers so swapping an "E" for a "3" or a "5" for a "$" doesn't make you much more secure.
That meeting the minimum requirements for a password makes it strong. By today's standards, an 8-character password won't make you very secure.
That it’s fine to use the same password a lot as long as it’s strong – but what if the website is hacked? Do you know how the website stores your password? What if they store it in plaintext?