Jimmy Kimmel, a U.S. talk show host, commented on U.S. cyber security after the 2014 Sony attacks. To humorously demonstrate the problem, they employed a bit of social engineering on the streets to see if they could get random users' passwords. While most people did not directly give their passwords, it was not hard to get them to reveal some personal information. This is one reason why Google wanted to switch to security keyfobs (which does not seem to have taken off). Linux, by the way, has had device-based authentication for a while that can be configured to log into the system, websites, etc. using almost any connect-able device.
Luckily for hackers, fooling a mass of people online is much easier than this.