You don't need to be online at all. I've been caught up in several data breaches already... companies who failed to secure my personal information. That's on them. But I have no control over how well they protect my data. What control I do have, I try to use to the best of my ability, including trying to read enough tech/security news to be aware of new risks that keep coming at us. But we never know everything, and we are always at risk. Even if you don't own a computer or smartphone, you can still be the victim of identity theft.I don't care how secure you think you may be once you access any online account from any device you information is available to be gotten.
My wife and I actually just got a check a month or so ago from the Indiana settlement with Equifax... almost $80 each. That was way better than the one-year free credit monitoring we got from Home Depot! We got nothing from other breaches... "Oops, we're so sorry."
Earlier this year Verizon notified us that "their network had been infiltrated"... and they recommended that we should "change all of our passwords on other sites" that interacted with them. So, since two factor authentication (2FA) is the "secure thing" these days, that meant I needed to change passwords at banks, insurance companies, and others. "Oops, we're so sorry." I am still pissed off about this one. But I also took the opportunity to make the gibberish passwords even longer and change the security question and answers too.
The length of passwords needed to remain secure gets longer and longer because people trying to crack them get better and better tools. Currently, 12-characters seems to be the minimum, with 16-characters (or more) preferred. See: