First rule. . . as much as I hate to say it, the bitcoin industry is full of scammers! At least in the low end of the market. Bitcoin transactions cannot be reversed which makes bitcoin attractive from a scammer's point of view. So if someone is selling you a high priced item like a car or something and he wants you forward bitcoins first, he's probably scamming you. Basically, anything that feels weird, don't do.
Also, watch out for "scamcoins". Onecoin or Bitclub comes to mind, but there are others. These perpetrators try to get you to "invest" in their worthless currency while giving you little in return. So if if it feels like someone is using "sales tactics" to peddle a coin you never heard of, beware. Basically, beware of advice from someone that makes money off of that advice.
"Consensus" agreements on reddit are usually pretty good about identifying "scamcoins". Reddit is pretty good source that I like to use.
Some people choose to use localbitcoins.com or Paxful to buy bitcoins for privacy reasons. If you do, choose the dealer that's been there the longest with a good satisfaction score. Optimize for safety on this option because of all the damn scammers in the business. Charlie Munger said it best: Stay away from garages on big highways. Such mechanics know they'll never see you again. Go to a neighborhood garage, where word-of-mouth serves as advertising.
Promises are irrelevant. Track records are mega-important. And you can carry this heuristic into life. If someone making lots of promises but has a long history of idiocy, ignore him. You will occasionally be wrong occasionally with this heuristic, but in the long run you'll be better off.
I wrote a mini-article describing the pros and cons of this. But the short answer is is to choose the Coinbase app if you are new and Mycellium or Electrum if you desire privacy. Be sure to backup properly with the mycellium/electrum option!
Most crypto-currency apps make you backup your bitcoin keys, usually by writing a long list of words on a piece of paper ("horse battery cart staple. . ."). This list of words is called a "seed".
Remember, bitcoin isn't a credit card. If someone goes on a shopping spree with your bitcoins, there is no one can reverse the charge. Once they're gone, they're gone.
A trezor is a bitcoin "safe" designed to store your bitcoins offline. This makes them impervious to hack attacks. The private keys never leave the trezor, so they stay private even if your computer gets hacked through a virus. The only "hack" is to physically steal the damn thing. Anyone using crypto-currencies as a long term investment should get one, and they're only $99. Trezor's can store not only bitcoins, but a variety of other crypto-currencies such as ethereum, dash, zcash, and any other ethereum-based tokens that support the ERC-20 token standard. So you can store any of the DAOs that are the rage these days (golem, augur, aragaon, etc).
The palest ink is better than the best memory - Chinese Proverb
Most people choose hard-to-remember, but easily guessable passwords (for a computer anyway):
Diceware is a pretty good system for creating strong passwords that are hard to hack. The "tldr" is that you should combine 5 or more non-related words ("horse cart battery staple. . .") together. This is very much like the words in a "seed" file. Then create a silly sentence with it in your head. This is very random, very safe, easier to remember, and hard to hack.
Remember, you're still likely to forget a password for 5 or more words, especially if you don't use it everyday. So write it down on a piece of paper and put it somewhere safe, away from prying eyes. A bank safe deposit box is a good option. Dropbox and emails are a big no-no because it's prone to getting hacked or viewed by someone else.
2-factor authentication is a system where need your password and a code on your cell phone to login to your account. It's a bit of hassle, but it is much harder for to hack. Wikipedia has a good description of how 2-factor works.
Side note: It might be a good idea to put 2-factor authentication on your email system as well, while you're at it. Hackers are sometimes able to hack bitcoins when they have the target's email system.