What hackers will do is rather steal the big list of everyone’s username and password that is kept on the website’s end. In order to check that you’re entering the right password, the website of course has to have it saved somewhere. Now, most services will keep this big list highly encrypted, so the hacker is either going to have to decrypt that big list, or find a website/service that has weak security and keeps their passwords saved in plain text, and then hope that you used the same username and password on multiple sites – both of these things are surprisingly common.

But – this is not the most common way that people are “hacked” in modern times. Rather than decrypting stuff they’ll just used a targeted scam to get you to willingly reveal your password. They’ll do this by doing stuff like sending you e-mails pretending to be your bank, or sending you text messages pretending that you have a package to pick up or something like that. They’ll create a fake version of the webpage you’re used to using that doesn’t work, all it does is save what you enter into the username + password input boxes for them to use later

They don’t guess your password.

Instead they attack the site you’re logging into. They try to steal the user data. Part of that data is a big number that represents your password. When you created your account, the site did some math on your password to create this number. The math is set up so it’s impractical for someone to figure out what password corresponds to each number. When you put your password in, the site does the same math on your input, then compares the number it gets to the number it stored. If they match, it reckons you put in the right password.

The math is not perfect. And attackers can do the math. So they make huge files where they try tons of common passwords like birthdays or “password” etc. and do the math to get the numbers. Then they compare those big lists of numbers to every number in the user data they stole. If they find any matches, they’ve got that person’s password. So when they log in, they only need one try.

Over time, attackers try every possible combination of letters and make huge lookup tables. For some older versions of the math, they can instantly crack any password up to about 15 letters. They’re still working on it for newer math, we keep making the math slower and more complicated to stifle them. But even with the old math, if you had a 25 or 30 letter password, they wouldn’t have it in their big tables yet. That’s why long passwords are really good and why maximum lengths are very stupid.

They don’t hack your password by trying to log in through the main website the way you do.

By far, the main way hackers steal passwords is phishing attacks. Let’s imagine they somehow get a list of the emails of every Bank of America customer. They then create a website that looks just like Bank of America, throw it online at BankoofAmerico.com, and send the customers an email saying “There has been fraudulent activity on your BoA account, please >CLICK HERE< to log in immediately to confirm recent charges.” Clicking there takes you to bankoofamerico.com, and enough people will ignore the misspelled domain name to put their real credentials in, which get sent to the hackers.

There are other methods as well. Passwords are stored encrypted, but reversing encryption can be relatively fast, so if hackers get a list of encrypted passwords they can convert that to a list of passwords. This method is easily defeated by something called “salting” which I won’t go into detail on here, but 99% of websites salt their hashed passwords so this isn’t seen as much. But shitty websites can be defeated this way.

If you have malware on your computer, it could log every key you press on your keyboard and send it to a hacker, which would easily expose passwords. Same goes for using a public computer – always assume anything you do on a public computer is going to be posted on a billboard above a major highway.

If you are using a public wi-fi network, it is possible that a hacker might be controlling the wi-fi (or just on the wi-fi with their laptop, but tricking your laptop into thinking that they’re the router), and thus looking at all data you send and receive. Most websites will use HTTPS which defeats this, so long as you reject invalid certificates.

Passwords are stored as hashes, to get a hash you take your password and do math on it to randomize it, the hash can’t be reversed, and the data of your account is now locked with the hash, since you can’t reverse it, hackers can’t guess your password, they either use phishing or they get a hold of the website’s database, which stores the hashes, or sometimes plain text passwords.

ELI5 version:

They don’t, they just try common passwords against thousands of emails till they get a hit. Specific instances are different like if you have a leaked password