There are a number of ways your password can be compromised. It can be leaked by an improperly configured website, it can be guessed by a computer program, a computer can try a bunch of words in a dictionary, etc. It’s probable that at least one of your passwords was compromised already (RockYou2021: Largest Ever Password Compilation Leaked | CyberNews).
So what can you do to protect yourself? Well, to start, use a long unique password for every website you use. Unique passwords for each website are incredibly important, if one website has a breach and your password is exposed you don’t want a malicious person using that password to log into every other service you use. Long passwords will take longer to figure out if they’re trying to guess it or use a dictionary attack. Most websites will enforce rules like using a special character, upper and lowercase letters, and numbers, so get creative. @rUbber1ducKlett%the,bathTime&pokeMon#4 would be a pretty solid option as a lengthy password, as would &zebuLon$the,Mightiest#7heRo@tHe;RolleR5disCo?, but how are you supposed to remember all those variations? Use a password manager like Microsoft Authenticator or LastPass! I prefer Microsoft Authenticator for personal use because of its ease of use and zero dollar price tag. LastPass is a great tool that I’ve used to collaborate with coworkers and to control login information. Both options work across all devices and have browser addons to make signing into all your websites and services a breeze.