Also, adding a year and/or an exclamation mark at the end isn't going to save you.
Normally (if you're not a specific target) they just run the 10K most popular passwords (available to the
public on GitHub) and a script that tries all the variations on those with capitals, numbers and special characters added. That's automated guessing and pretty fast, it'll give you some positives from a large database.
If you are a specific target because your account has greater value, trying to crack a password becomes an option. They'll try to brute-force all possible combinations of characters. On top of not being easy to guess, the length of a password now becomes important. Every extra character increases the number of possibilities exponentially. If we only count for letters, 26*10⁴ combinations are a lot faster to crunch than 26*10⁸. That's why passphrases are pretty effective if you need a long password that you can remember.
Control leaked e-mail. The easiest scam is just spamming a leaked e-mail address. No password involved. You can add a note to the e-mail adress you use to make an account. For example
[email protected] has +asr added. The e-mail is still being delivered to
[email protected]. However, if you get spam, you can see where is is directed to. If it is directed to +asr, ASR had willingly or unwillingly leaked your e-mail address. You can simply block all mail that's directed at the +asr combo, notify the sites owner and register a new e-mail (+asr2 for example) at the website.
For non specific targets, if your password is compromised as well, they'll likely try to login to your PayPal with the +asr e-mail. Even if your password isn't unique, that'll fail. But please, use unique passwords!
If you're the type of Audio enthousiast who has a NAS or home server to store their music, you can host your own Bitwarden server with Vaultwarden. This way your data is stored locally with open source software.
Safe browsing!