Well your password, however strong it is as weak as any webservice's security and password handling capabilities. If they use a http site to transfer your password and do like what twitter did in logging the password before encrypting it, or worse just save it as it is on their server then you are doomed.

So the first rule is USE HTTPS EVERYWHERE EXTENTION AND NEVER USE THE SAME PASSWORD ON DIFFERENT SITES.