Just a reminder, turn on 2 factor authentication on any site you remotely care about.
https://lifehacker.com/dont-wait-for-microsoft-to-reset-your-accounts-password-1840272138
Don't bother for throw away accounts, but you should always have *something* other than a username/password protecting anything you care about.
And not all 2FAs are created equal. Hardware tokens are the best, followed closely by App-based (time based) 2fa. Lagging far behind is phone/SMS based and "better than nothing" is email-based 2FA.
1/2
2FA requires you to have something in your possession that ensures that it's you, and only you, that's using your username and password.
Yes, it's slightly annoying, but far less annoying than losing control of your email, bank, twitter, or even CoSo accounts.
And criminals really don't care if you have money or status... if they successfully hack your account, they're throwing it away, not giving it back to you.