I've spent the last month or so changing all of my passwords after receiving a couple letters from AT&T about a 2009 breach, which they denied until recently and sent to my discontinued PO Box that's still forwarded, as well as notices from several other companies. The problem that still exists are PIN access codes. Most are 4 digits, so only 10,000 numbers to try to hack your PIN for whatever. Of course many financial organizations are now using TOTP which is a PIN that changes every 30 seconds and is unique to you and only usable for a short period of time. It's getting crazy out there for sure.
BTW, I've changed about 400 of the nearly 500 passwords I keep in a secure program. I was really surprised as to how many that were over 20 years old and basically the same with minor variations. Then a bunch more that were based on a root word that I started using about 15 years ago. Then another root word the past 10 years or so. Now all the ones I've changed are 10-16 garbage characters created by my storage program. However, many old websites are no longer in existence, so I can't change those passwords, but the ones they had are already in the trash can.
73's
George - WB5JJJ
HoIP - 100105