I defend against that scenario by letting my password manager generate a different random password for every site. It defends also against sites handling passwords in terribly wrong ways, hacks, leaks, etc.