Yes, excellent advise on credential management, but...
When the authentication server(s) hacked and becomes known, the knee jerk reaction of most of the security experts is:
Like the password strength would matter in the case of data breaches. Does it really matter, if the password is “123456Ab” or “3pHj1P38JVF4A”? Especially, if the the password stored in plain text and/or easily reversible password hash. Yes, end user's credential management matters, but it does not account to much, if the subject of the data breach does not inform its end users and the public about the data breach. As you experienced...
And for that matter... Biometric or other types of authentication methods may not provide the level of account security sought after either. For cyber-criminals, it does not make a difference, if the stolen account credential is password or fingerprint for example. Well, there is a difference. It is easier to replace the password than the fingerprint. Not to mention that while passwords are unlimited, fingerprints for the end-user in question limited to ten, for most people. Once the biometric credential is out in the open, the end user is toast...
And that's just on the authentication server side. Hacking the client side is even worse, where smartcards, SecurID tokens, etc., can be exploited with ease.
Prior to settling the type of authentication that we'll use, both the server and client side security need to change. Without securing the systems at the end points, there's not much reason to change the password based authentication systems. Unfortunatrely, not much effort put in to this, it's much easier to blame the end user for not having credential management in place, lack of 12+ character strong password.
Entities can also blame APT and point finger at Russia, China, North Korea, or any other other politically correct country for the data breach at hand. That's the "get-out-of-the-jail" card for the lack of security for these entities systems and has been working for every one of them...