The #1 thing to do is ALWAYS use HTTPS/SSL/TLS (those are all names for the same thing; if the web address starts with "https" instead of "http", you're good). This encrypts all the traffic to the server, so even on an open wifi network, the best someone eavesdropping on you could tell is what site you're connecting to, not what you're sending. Many sites that default to "http" will still work fine if you change it to "https" in the address bar of your browser. Some sites, like gmail, offer a setting to force HTTPS in their settings page.
The #2 thing is link your cell phone to your account. Gmail does this, and I think facebook does too. That way, when you lose your password, you can reset it by getting a text. Gmail also offers "two step verififcation" authentication which is much more secure, and I believe this is what you alluded to before about receiving a text to authorize a new computer (this is distinct from the password recovery feature, AFAIK
Using a VPN when on an open wifi network is also a very, very good idea.