My (limited) understanding is that hackers can access websites using one of 4 main techniques...
1. Social engineering methods (no hacking required).
2. Trying out previously compromised login credentials (which can be purchased on the dark web) on multiple websites in the hope that some will work. This is why unique passwords for each site are important.
3. Using brute force techniques to try to guess passwords (which is why length and complexity are important). This is also why its good to avoid dictictionary words or common phrases.
4. Directly hacking websites to find databases containing the login credentials of each user. This is out of the control of the user as you just have to trust the security policies of the website holding your password. Whether a stolen password database is of any use to the hacker depends on how it is stored. Plain text would be very easy to exploit, whereas 'salted' hash values would be very difficult to exploit. However, if the database contains unsalted hash values (as many apparently do) then it is open to attack using Rainbow Tables. In that case, it doesn't matter how long or complex a password is- every account is potentially at risk of being breached- even if a password is a 128 character long string of random chacaracters.
Please can someone tell me if I am correct about this ?
Have I got anything wrong ?