Keyloggers? Social engineering around the password reset function?

I use 2FA on all my personal accounts that support it (Twitter, Github, Gmail, Namecheap, banks).

If a software can log your keypresses, it can probably steal your cookies and log in as you from your machine. Cookies stored by browsers are easily readable by processes running as the same user.

It will help when my unique password get exposed through any of the many likely routes that don't give the attacker complete code execution on the servers - SQLi or using XSS to steal admin tokens for example.

Interesting, sqli that works only for reading encrypted_hash from DB? But since password is unique it cannot be bruteforced even locally.

True - it's the (many many documented[1]) cases where the SQLi grabs the password_cleartext column, not the encrypted_hash one that worry me here.

[1] http://plaintextoffenders.com/