The brief summary is that any competently-run websites do not store passwords, only a big random number that is generated using your password (called a hash). It's why you always have "password reset" rather than something like a "show me the password I forgot" option - the website is literally incapable of telling you what your password is. If the hashes are leaked, an attacker can try running millions of guesses against them to see if they can discover any passwords. But it's slow and requires a lot of computing power. If you use a weak password it's easier to crack.