If the website gets hacked and they can get the unencrypted passwords, it’s not really relevant how strong the password is. Strong passwords keep people out using the “manual” way of breaking into your account, aka guessing your password. This can either be a brute force type attack or certain people that for whatever reason want to break into your account specifically

The complicated password is so people don’t guess yours specifically.

If the site is hacked and password details leaked then your account is compromised regardless of how strong your password was.

You’re right about having different passwords.

So if you use a common password it’s easier for someone to hack your account for instance if your password is password instead of/8)4&/‘hsujs23 than it will be easier. They can use a rainbow table which takes less computing power and time than a brute force attack. But you are mostly right about using different passwords. Having a password manager can be useful. But password are not a great source of protection for the attack you are describing

Companies don’t store your password. They store a hash of it which is a type of encription(over simplifying I know). Hackers still don’t know your password, but they can guess passwords until they get the same hash to find it. If you use a really strong password they will probably never figure it out so you will be OK. But if it a weak password they will figure it our pretty fast. If you never reuse passwords tho, it won’t affect you very much.

Any company worth its salt will store your password in a form called a hash. This is you password scrambled up and reduced in size with math, so it’s near impossible to get your original password back. The standard practice for hackers once they get the hash is to do the same math at all sorts of different passwords to see if your hash comes out. This is the reason you have complicated passwords. More possible different passwords make this so much more difficult.

So once they plug the hole in their security, the hackers won’t be able to just log in using your password. They wouldn’t have figured it out.

It very rare for hackers to directly get your password. Any decent website doesn’t actually store your password; they store a “hashed” version of it. This is why when you hit “forgot my password”, the website has you reset your password instead of just sending you your password: the website doesn’t actually know your password.

So, if a site gets hacked, and the hackers get the hashed version of your password, they can’t actually use it to log in. However, they can try to guess your password, and they’ll know they guessed correctly if their guess has the same hash as the hashed version they got from hacking. This lets them try millions of guesses per second, so they’ll start by guessing millions of simple passwords. But if your password is complicated, they probably will never guess correctly, because there are trillions of trillions of possible complex passwords.

Considering all of this, how come I have had a nonsense password hacked before? Luck?

some shitty websites will store your password in plain text. but any good/legit website won’t. so if you use the same password in all websites, then yes it doesn’t matter how good your password is if the plain text website gets hacked. good/legit websites store the password’s hash, which is your password after running it through a bunch of math (ie encryption). since most websites use common encryption methods, then the hackers can reverse engineer what your password is by guessing the encryption method and seeing if they can match the hash. the more common a password is, the more likely they are able to match the hash.

so yes, it’s best to use a combination of a strong password and also not reusing your passwords.

TIL that hash is much more than a delicious breakfast food. Thanks for the great responses everyone!

All answers about hash are great, BUT you still should use different passwords and not re-use them.

Some companies poorly handle their security and don’t hash the passwords properly (for example if a company sends your previous password by email when you ask for forgotten password, that’s a HUGE red flag). There are also other ways to obtain your password (e.g. phishing, finding it from hash by chance)…

TL;DR : it’s still better practice to not re-use passwords.