"I wonder, if we shouldn't be using unique usernames and passwords for each site."
He's an expert and he's only wondering? What will it take to make him sure?
Of course we should. We all used to until sites decided to use email addresses as user IDs. And it's even worse when some sites - looking at you PayPal - hand out the email address to other parties and can't even see what's wrong with that when it's draw to their attention. Given that most folk only have one email address anyway the password is the only meaningful credential. No wonder people wiitter on about 2FA. With any reasonable policy about user IDs it would be 3FA.