Many people find passwords to be "nuisances" while others simply get confused and forget their passwords. But how do hackers get you password? There are so many ways. Here are some.
1) They Guess! One of the most used passwords, even by some "experts" seems to be the word "password". I know someone who used "12345". In fact, there are ways to do a dictionary search for passwords; if it is in the dictionary, they will find it. Oh, lockout after 3 minutes? Some people think it is true but there are ways around that depending on how it is implemented. It is very rare that you have to call on the telephone if you've actually locked yourself out.
2) How about clicking on "Forgot Password?"? Well that depends on what goes on next. In some cases, you will get a link in your email to reset your password. If someone has already hacked your email, they will see the link too. How about those questions they ask? Well, if you are a celebrity with nude photos, maybe they already have looked up your mother's maiden name or know who your maternal grandmother is? Sometimes, the answer to these questions can be found in your Facebook.
3) Then there is malware! A keylogger could have been placed on your computer to capture and upload everything you type in. Other malware can do similar things!
4) Poorly designed security systems ( a "pet peeve" of mine): Ideally, if you forget your password and the web administrator sends you an email and tells you what your password is, something is very wrong. Employees at a company should NOT have access to your passwords especially if the employees have not undergone a background check. Simple. Most passwords need to be encrypted all along the way from your computer to the website you go to. Then, the password should stay encrypted. Unfortunately, I've seen way to many web programmers who keep passwords in a flat file available to almost anyone. Including people who hack into the web site.
5) Hackers breach company security and get to the data they need!: While you may have all sorts of protection on your computer, many companies have little or no security on their systems. For example, Home Depot, Target, Niemann-Marcus, Anthem, the federal government (OPM), and others. These are all places that have been successfully hacked and information was stolen including passwords (see my comments above, passwords should be encrypted). The only thing I can suggest is to pay attention when news of a data breach happens and vow to never patronize these places again. Hopefully, some of them received large fines or a big slap on the wrist.
6) Ever put your password in while someone looks over your shoulder? I knew someone who could capture whatever you are typing in like that.
7) Public WiFi! Be careful when using public WiFi. Contrary to what some believe, unless you are using SSL (HTTPS) encryption, everything going from and to your computer over public Wifi can be read by someone sitting in Starbucks with a laptop and some readily available software. Or someone in the parking lot could be "war driving".
Post-it Notes: Do you leave your passwords written down somewhere? Does anyone you don't know or trust get near to that piece of paper?
9) Phishing: I refuse to you any link that some place sends me in an email that tells me to click on the email and login to check my account! They make it very hard to tell the real email from this phony email and, once you enter your ID and passwords, they upload it and then send you to the actual website to check your account so you won't know a thing has happened.
10) Endpoint Protection: You really should have some "anti-virus" (I hate that term) or desktop security software and use it, even if it becomes a pain in the butt.
I hope some of this helps.