It very rare for hackers to directly get your password. Any decent website doesn’t actually store your password; they store a “hashed” version of it. This is why when you hit “forgot my password”, the website has you reset your password instead of just sending you your password: the website doesn’t actually know your password.

So, if a site gets hacked, and the hackers get the hashed version of your password, they can’t actually use it to log in. However, they can try to guess your password, and they’ll know they guessed correctly if their guess has the same hash as the hashed version they got from hacking. This lets them try millions of guesses per second, so they’ll start by guessing millions of simple passwords. But if your password is complicated, they probably will never guess correctly, because there are trillions of trillions of possible complex passwords.