Glenn Fleishman writing for Macworld:
Should you use Apple’s [two-step verification]? Yes, enable it immediately. Should people who aren’t as technical as you use it? Yes, and help them!
Good advice. Glenn outlines Apple's two-step verification system including the recent 'app-specific password' requirement for third-party apps that access iCloud for mail, contacts, and calendar items.
Related: Diogo Mónica's recent article "Password security: Why the horse battery staple is not correct" addresses step one - passwords. It's a good short read if you are interested in learning more about password security.