“Thinking like a hacker means studying the tooling that hackers use, attending hacker conferences such as DEFCON [and C-Days in Portugal], and practicing hacking and exploitation in a lab environment.”
In “Think like a Hacker: A Sysadmin’s Guide to Cybersecurity” by Michael J. Melone
What happens in real life passwords-wise? (I know what I’m talking about; back in the day I was in the trenches doing this for a living…)
The passwords are usually stored in a database with the username, when you enter your username and password one is checked vs another. Obviously if the database was stored "in the clear" anyone who stole it or looked at it would know your password. This can't work for anywhere where the user accounts must be secure - even from employees, which is basically everywhere. So, what is done is that the password is "hashed" which means that it is encoded using a one-way conversion formula. If I have the formula and the password I can reproduce the hash result, that's a match! I can open your account! That's what a website does when you enter the right password. But if you just have the hash then if you give that to the website it will apply the formula and create a different result and the system will say "no dice". So having the hashes is no use to a hacker.
Unless the hacker guesses the formula. And this is where the billions of attempts come in. If an employee or hacker steals the list of hashes and usernames they will use them to guess the formula. The bigger the list the more chances of a password being repeated in it, if the hacker spies two hashes that are the same (or with modern functions, hashes that are related with a regularity that clever math can show) then that might mean that the passwords used to generate them are the same, and if the said password is 12345678 then it's very likely Mr. hacker will guess the formula required, and at that point off we go to the races. If the hacker has the database on his own computer (and one can rent very big, very fast computers now for very little $$$) many billions of guesses and tries and tests on the hash function can be done every second.
Good web sites do three things, firstly they "salt" their passwords with a random string which is kept separately like "733bi/fo@@h732=|$dGGGHHH&+~52-" which means that all passwords have that added to them before hashing. Secondly, they use strong hash functions like not SHA-1. The final thing that it is easy to do is to stop users using any password in the top 5000 passwords lists, stop them using any dictionary word and insist that the password contains numbers, capitals, lowercases and symbols.
Unfortunately, such is the sophistication of password cracking software these days that even a long password is no guarantee of security and hardware is getting faster all the time so just a long password is no cast iron guarantee of security. Use very different passwords on online services and be careful about the links between different apps; these days you can use your Facebook ID to login to a range of different sites for example; if you do this consider the implications of what could be accessed if say your Facebook ID is compromised and the data that is shared between the 2 sites.
A password manager is a good way to go for remembering all these different passwords some of them will generate a random password of a specific length for you when you set up a new account and they are available as apps on smartphones, however choose a secure password to access it and ensure it is securely encrypted using something like AES and be careful where it's stored, remember the "Cloud" is just another computer hosted somewhere in the world, there is no guarantee cloud storage is secure; if you back up to these services then encrypt the backups (Companies like Apple offer this with just a check box and password field as an option in your back up settings).
I am extremely careful with LinkedIn these days, I once found all my information available online (legitimately) because they had changed their privacy options and data was open by default to certain LinkedIn partners who took it upon themselves to publish my CV publicly (thanks for the spam to the email accounts I used at that time guys!), they seem to have a very relaxed approach to privacy and peoples profiles often appear in straight Google searches, CV's by their nature tend to include a lot of personal information, and certainly a lot of contact info.
Most hacking attempts do not even use passwords; they exploit failings of the site's code itself. Meanwhile the 'password complexity' argument is based on being able to submit thousands of passwords a second to the same account. Any system which allows that is a dumb piece of design. The sensible answer is that you should not use a guessable password. The rest is basically a 'straw man' designed to shift attention away from the real security failings of the software industry.
Passwords are recognised as being extremely fallible and there is a big discussion going on as to how to replace them, biometrics are equally insecure and you can't change them if they are compromised, as for flaws in code allowing exploits, these will always exist, even the best programmers make mistakes and the sophistication of cracking tools is improving all the time. I view this as being a bit like home security, you can add all the window locks, security deadbolts and alarms that you like, it's never a guarantee that someone can't break in, and in the case of on-line data where government funded agencies are involved then all bets are off.
Personally, I try not to put anything important on the internet, my plans for world domination and my Mum's recipe for bread pudding I memorise, and keep in my head, they can't hack that......yet! :)
Bottom-line: Hackers don't try to guess passwords to get your account. They hack into the system, steal the encrypted data and then, outside of its secure ecosystem it is now vulnerable to brute force attacks. Once a reasonable number of passwords has been hacked, this can be sold onto the highest bidder who will then harvest your data. Often, they will use the same username-password combination on other common websites such as PayPal and Amazon where they can make online purchases or Facebook and Gmail/Hotmail where they will begin the process of identity theft or look through old messages for even more important passwords or bank account details. Remember that holiday you took with your mates and you instant messages them your bank details so they could pay you for the flights? Yep, that's still in your message box. So, change that Facebook password. Now!