There are a number of different types of password attacks. Three such types are: brute force, dictionary, and keylogger. Brute force and dictionary are similar, in that they both involve a script and a password list to attempt to authenticate against a site or service. Keylogger is usually a trojan installed on an unsuspecting computer logging keystrokes in order to gain access.
Example: On top of randomly created lists, actual password lists from breached sites are a sought after prize for hackers. In some cases, the breaches result in stolen email and password combinations, but sometimes it's just passwords on their own that are stolen. Either way, it's the most poignant reason not to use the same password across multiple sites.
Risk Mitigation: A password manager is the best way to generate and store your passwords. If you insist on creating your own, examples of strong passwords would be four random words, or a longer sentence that means something to you. If you want to check whether your email(s) or your password(s) have been involved in a breach, there is a site you can check.
Some recommended password managers are: