They don’t hack your password by trying to log in through the main website the way you do.

By far, the main way hackers steal passwords is phishing attacks. Let’s imagine they somehow get a list of the emails of every Bank of America customer. They then create a website that looks just like Bank of America, throw it online at BankoofAmerico.com, and send the customers an email saying “There has been fraudulent activity on your BoA account, please >CLICK HERE< to log in immediately to confirm recent charges.” Clicking there takes you to bankoofamerico.com, and enough people will ignore the misspelled domain name to put their real credentials in, which get sent to the hackers.

There are other methods as well. Passwords are stored encrypted, but reversing encryption can be relatively fast, so if hackers get a list of encrypted passwords they can convert that to a list of passwords. This method is easily defeated by something called “salting” which I won’t go into detail on here, but 99% of websites salt their hashed passwords so this isn’t seen as much. But shitty websites can be defeated this way.

If you have malware on your computer, it could log every key you press on your keyboard and send it to a hacker, which would easily expose passwords. Same goes for using a public computer – always assume anything you do on a public computer is going to be posted on a billboard above a major highway.

If you are using a public wi-fi network, it is possible that a hacker might be controlling the wi-fi (or just on the wi-fi with their laptop, but tricking your laptop into thinking that they’re the router), and thus looking at all data you send and receive. Most websites will use HTTPS which defeats this, so long as you reject invalid certificates.