As Ars Technica writes, even if you use complex passwords and a hacked website only stores password hashes (not actual passwords), passwords are terrifyingly easy to figure out from hashes. As this article says, “with the hashes exposed, users should presume their passwords are already known to the attackers.”
To protect yourself, you need to use third party authentication like openid and two-factor authentication whenever they are available, as well as a password manager to generate and keep track of very long random passwords.
Otherwise, it looks like you should assume your password will get hacked.
Read the story here: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica.