Unless your password is something really common like “password1”, or just your username, or something very easily guessable like that, you’re generally safe from someone just sitting down and logging into your account casually.

So for any good website with even the faintest concept of security, your password is not stored. When you ask to reset your password, the reason why they can’t just send you their password is because they don’t know it. (Incidentally, if they DO send you your password, that means they clearly don’t care about security.) When you enter your password, it’s run through a complicated algorithm to encrypt it which, in theory, should be uncrackable without knowing the exact way it was encrypted.

Brute force attacks basically occur when they’ve gotten a list of encrypted passwords from a website (which happens more often than the companies would like you to think). They can then use their own computer to brute force this stuff until they start to produce things which feasibly look like passwords. Once they have those, they can try them, and boom, they’re in.

This, incidentally, is why you should have unique passwords for every site. Data breaches happen a lot, and if they’ve found one email and password combo which works on Facebook, they’re gonna try it on other sites too.