When it comes to hacking, the type of password or how you store it, or whether or not you use 2FA does not always matter. The whole idea behind hacking is to exploit the system by finding a flaw in it to bypass authentication. For example if the mail server has a flaw that you send a specific packet that lets you inject stuff into memory, then you can make it do something it was never designed to do such as run arbitrary code. Or if something like heartbleed is not patched etc. That is typically how a server gets hacked. Of course if you use weak passwords then the hackers don't even need to go that far as brute force will eventually let them in through SSH. Then they just dump whatever data that server had on it.
I use a different password for every service and use a password manager though so if one site gets hacked ideally that password that leaked is not being used for anything else. I do use a web based password manager though, I wanted something self hosted that will work on any machine that is on my network without having to install anything.
I probably should switch to 2FA for sites that implement it, but I just hate that every site uses their own proprietary system (ex: some may use authy, some might use google, some might use their own etc so you end up with all these apps) that requires some app, and it's stuck to my phone. What if I lose my phone, or want to change my phone? The authenticator app is basically a black box I have no control over or a way to back up. Well some might but not all will. Depends on the site and what their app is like. They really need to come up with a better standard for that. It should be some kind of key pair thing where you generate a private/public key and you give them the public key. Then you can use an app or even hardware token that stores the private key, but make it a standard so from a client point of view I can have all my sites in one place instead of needing an app for each one. And most importantly a way to back it all up.