Originally Posted by
anotherVTskibum
My understanding is that password issues generally fall into three buckets:
1. The user fell for a scam and gave someone the login info "for support purposes"
2. The user has the same password at multiple sites, from those that have serious security setups and professionals watching for intrusions (eg financial) to the local ski club message board setup by some dude in his spare time ten years ago, shortly before he left for somewhere with better snow; then the low-security site gets hacked and the credentials used elsewhere (but see also 1)
3. The password is truly horrible and easy to guess (password123, VailSucks, etc)
Historically, category 4 was when a site would get compromised and the attackers would then use the captured but encrypted login info to brute force passwords, but modern crypto and password storage should make that impractical for any attack without three-letter-agency support.
Forced changes can reduce the carnage from 1 and 2 by limiting the lifespan of compromised credentials, but using a password manager and having a good passphrase for it that you don't share with anyone, especially fake support reps, is a better solution.