OK, I get the idea of a consistent message,but I'm sorry I can't buy into the Project Fear that says you have to have a different password for every site you visit. There are very clearly two types of site, maybe that should be 2.5
The first are those where you have security to identify yourself to others, like here. There is no or little PI here, if someone wants to imitate me here or any other similar site, so be it. Yes, they could send out begging messages in my name, but that could be anyone's name. If a kindhearted soul sent money because I "needed train fare to get to my dying mother" or whatever, that would be a learning experience for them (hint: it would also be 40 years too late). Personally I confess I use one fairly crappy password for all those.
The second are the limited number of sites I trust with stuff, such as banks, Google, Amazon, Paypal. Those all have secure, unique passwords and 2FA - the 2FA stopping any password hack dead in its tracks. Why wouldn't you have 2FA? (two factor authentication)
The 2.5 type are those sites that you might subscribe as a service, like Adobe, that arguably deserve some kind of elevated security. I can't see that there would be any benefit to a hacker logging in to these, so I tend to lump them with type 1. You don't save card details on shopping sites "for convenience" now, do you?
In addition, I regularly check my credit reference file with one of the free services to see any early signs of identity theft, there are too many sources to block from the personal end, awareness of the possibility and monitoring are the only defence.
And yes, I am reliant on my phone as a physical device. Truth is we (almost) all are one way or the other.