There's quite a few different aspects to security on the internet, I can't possibly mention them all, so I'll concentrate on the things you really need to begin with.
Passwords are supposed to prove that you are the same person as used something previously. Though that's often no such proof, as people will often store their passwords on their computer (which allows someone else to easily pretend to be them).
They're also supposed to prove that you are who you say you are. But they generally don't do that, because no attempt was ever made to verify your identity.
Passwords should be kept confidential, and only used for their intended purpose. For instance, if you use a password for accessing an e-mail account, then only use it for that task. Don't tell it to someone working at the mail service provider if you get stuck trying to use your mail, they don't need to know it. But if you cannot get away with not giving someone it, change it as soon as your done dealing with them.
Passwords should be difficult to guess, but easy to remember, and different for each service that you use (if someone can crack one weak system and discover your password, you don't want them to be able to break into every other system).
It's common advice not to store your passwords on your computer. If someone hack into it—which is all-too-easy with Windows—they can copy it. It's also advisable not to write them down, though if you need to do that so you won't forget them, have the sense not to do it right next to the computer.
Using pass phrases instead of words is much more secure. The more letters you use, the harder it is to crack or guess. Also, they can be much more memorable.
e.g. something strange like “i-want-2-eat-donkey-pizzas” is probably going to stick in your mind more than “iw2edp”.
Anything that you do that needs to be confidential (financial transactions, credit card details, private correspondence, etc.), should be encrypted. Even something as seemingly innocuous as an e-mail to a friend about going to a film on Friday night can tell a stranger that your house will be free to burgle at that time, should your e-mail go astray.
Just about all web browsers support encrypted connections, and just about all services that need it (e.g. banking) will insist on a secure connection (they won't let the browser make an insecure connection). You can recognise such connections in two ways: “HTTPS” prefixed web addresses, and usually a closed padlock icon somewhere on the browser (often you can click on it for information about the security of the current connection).
E-mail, on the other hand, is generally not encrypted, and often quite difficult to do so (both sender and recipient need to arrange it, have appropriate software, and know how to use it). PGP, if you can understand how to use it, is probably the best way to encrypt your mail (it's available for a wide range of different computer types, and for free).
It's easy for someone to hack you if they don't do anything to keep them out. You really should do your best to make it hard for someone to do something to your system. If you share files across the internet, you want to be sure that you're only sharing what you intend to, not the entire disk drive. If you run servers you want to be sure that they only do the specific jobs that you want them to. Likewise if you get some software from the internet, you want to be sure that it doesn't do things you don't expect (like mailing your private files, while it pretends to be just a screen saver). And you really should use a firewall to block off unwanted connections to your computer.
File sharing programs are notorious for compromising your security, in a variety of ways, and generally are used to break the law when used for their intended purpose (sharing files that are not your property, not yours to trade, and freely downloading something that you should have paid the owner for).
Mail and web servers are often easily hacked or abused. People don't always set them up properly, and some are very bad at handling errors in operation. Running a publicly accessible server is really not something that a novice should do.
It's hard to work out whether some interesting sounding software does what it says, or something else. But some general advice is to only download from services with a reputation, and avoid files that have been very recently placed on them, in the hope that anything that was discovered to be malicious would have been removed from the server a while ago. It's always advisable to search for reviews or comments about the software, though be aware that it's easy for people to post faked endorsements, or malicious fake criticisms. Regardless of how much you might trust someone, always scan files for viruses and trojans.
Firewalls can help protect you, generally from other problems with a system that are hard to resolve directly, but they're no guarantee. Though I'd still recommend them to any Windows user, as they can protect you from a lot of faults with Windows, itself, that can be hard for a novice to properly fix. But they're a bit of a band-aid solution; if you've got some bad software that you're relying the firewall to save you from, you're much better off to get rid of the real problem.
Likewise, anti-virus and anti-trojan software can find things that did manage to slip through your defences, and may be able to fix things, but their best use is to check files before you use them, not to try and repair damage created afterwards (which isn't always possible).
In general, any system that I've seen where the owner doesn't bother with any anti-virus and anti-trojan effort has been infected several times over. Not only does it make their system unstable, or unusable, it affects other people that they interact with, and complete strangers.