If you know what to look for, and are suspicious by default each time you enter your password online, it will go a long way in preventing successful phishing attempts.
Each time you get an email about resetting your password, read the email address it's coming from to make sure the domain name is real.
For example, if one of the questions is "What town was my first job?
", answer it with a password of sorts, such as "topeka KSt0wn," or even something unrelated and random like "UJTw Uf9e."Simple passwords need to be changed. If you have a really easy password that anyone could guess and instantly get into your account, it's time to change it.
Passwords are usually stolen during what's called a phishing attempt where the hacker gives the user a website or form that the user thinks is the real login page for whatever site they want the password for.
For example, you could send someone an email that says that their bank account password is too weak and needs to be replaced.
In your email is a special link that the user clicks to go to a website you made that like the bank they use.
When the user clicks the link and finds the page, they enter their email address and password that they've been using because that's what you told them to do in the form (and they think you're from their bank).
This takes just email to trick you, and you can suddenly become a victim of identify theft and much more.
When they finally enter the data into the form, get an email that says what their email and password is. You could log in as if you were them, see their bank transactions, move money around, and maybe even write online checks to yourself in their name.
The same concept applies to website that uses a login, like an email provider, credit card company, social media website, etc.
If you're ever suspicious, just type the website URL directly into the navigation bar.
Open your browser and type "bank.com" if that's where you want to go.