Passwords are pretty much defunct, we have entered the world of tokens. A simple website will allow a username and password as a quasi token, with a recovery email one time code as a backup. More security conscious websites won’t allow just a password and will need a “safe” IP address or machine signature or one time code each time.

If you have just a username and password with no recovery options you have to accept you’ll lose your password and this access eventually.