Hackers can actually find many passwords quite easily. Sometimes they manage to get lucky by using password hints if you've set one. I had one friend who told me once you'll never guess my password - she said it's a catalogue firm that she used to work for in Preston - I said to her is your password Great Universal.... guess what - yeah that was her password (she quickly changed it), of course that was quite simple as Great Universal was possibly the only and largest catalogue firm in Preston - there was others but chances are if someone said they worked for a catalogue firm in Preston it was highly likely to be Great Universal!
Not only that sometimes you might have the most secure password in the world, and then use it on multiple accounts. When you put a password into a system, if the system is a good secure system it should turn your password into a code, this specific code can not be turned back into the password, and can also be generated for a few different combinations of letters - a basic example of this would be I took someones password and added the letters up to their position in the alphabet - if I did this a password of say for example abcd would equal the number 10 (1+2+3+4) ok but if someone had the password of badc - that would also equal 10. That way I can't ever go back to the right password from that code because that same number could be generated from abcd, bacd, bcad, bcda, etc... (which is why when you forget your password if it's a secure system it shouldn't be able to tell you what your password is.
The good thing with that system is that if someone hacks into the main computer that stores this password - they can't see the password - all they can see is these "hash codes" which are useless 'cos you can't really reverse them properly, this is why when Sony got hacked they were a bit worried but re-assured everyone that their passwords were safe - because all the hackers got were these codes which could turn into a number of different passwords (when you go to log in your computer turns your password into this code before it sends it via the internet and if the codes match then the password must be right - so you could actually log in to a site with the wrong password as long as you got it to generate the same code - many sites use MD5 for generating the code but also add a "salt" number which is unique to that site to spice things up a bit, so all sites aren't using the same codes for the same words.
There are though a few problems with this - firstly some firms don't use hash codes to protect passwords, some just store the password - now if you've used a password on a site that just stores the password instead of encrypting it and that site gets hacked, then it's possible that all other sites that you use the same password for could also be hacked. My sister had this done to her once - she had the same password for a number of accounts including her Sony, facebook, gmail, paypal accounts, etc, the hackers figured out her password and went through all the accounts and bought loads of games on the Sony account - since then she's ensured she always has different passwords.
Another problem is that when you sign up to an account with a site you assume that the site is all legit and going to store your password safe. There are billions of websites out there, and only so many will store your password safely, some will actually take your password and use it to see if it opens other accounts, when you register for an account on a website most of the time it asks for your e-mail address - and if it's an online email address like gmail, or yahoo or hotmail - if they're a fake website they will also try that password with other accounts to see what other accounts it opens, and even if it is a well known website sometimes hackers can take over the site and put fake login pages up, it has happened to even the big companies like Sony.
The next stage is dictionaries - if they've got this "hash code" from the website, they can't turn it back into the original password because it's impossible - but they can run it through a dictionary to find a password that it could be. A dictionary will have a list of common passwords and the codes that these passwords could produce, searching that code through the dictionary will come up with obvious passwords that might have been used, this why when making a password they always say add numbers and symbols to the password, because it makes it harder for them to search through. Going back to that example before - if I had a code of say 9 and I knew the password was 3 letters long there are a number of possibilities here - the password could be dda, ccc, dbc, or dad (there are a few more as well), but out of those 4 passwords which do you think is most likely to be the correct one, it's most likely to be dad, but changing that if we altered the password and made the a symbol the @ and we said that the @ symbol has a value of 27 - well the number we'd get then is 35 - that number now gives us a lot more possible combinations that the password could be - it could be zed.
So it's not just from your end that hackers can gain passwords, it's also from the big corporations they can hack, and it might even be they get the password from one corporation, or website and because you've used the same password across multiple websites they're able to use that across other sites.
I know you might be thinking well starting off trying to get the password just by keeping putting in one letter and incrementing it would take a long time, but hackers don't try that trick - they generally do know the password of the person they are trying to hack, also one other way of staying safe is to not use passwords of words that are found in the dictionary, or if you do change the spelling for example if your password was "telephone" try spelling it "telefone" chances are the hackers dictionary will only have telephone listed rather than the hash code for telefone which would give a totally different code - the code for those two in just plain MD5 would be:-
telephone - b9bb7e7b00a4ba1e0d15fa8b2485d8c4
telefone - 401f10c2e4cabb5f2d7c1b4aeaaa69ce
Very similar words but totally different codes.