Techniques like social engineering, packet captures, keystroke loggers and dumpster diving have yielded passwords.
Probing for passwords? How exactly? If an intruder wants data he will take the data. If he wants a salted hash file, he can have mine. I'll send it to him.
I do not know all the possible ways there are, and I don't think it's reasonable to expect me to give you a comprehensive course on hacking. Suffice it to say that not all passwords get you access to valuable data. Whenever a set of credentials is acquired you have to test them, possibly against many machines to determine what they do a do not grant access to. A low-level account might not grant you access to any valuable data, but might get you into a workstation where someone with an account that does might log on and let you capture theirs, and the testing starts all over again.
The source will be someone's compromised home computer or a server in Poland or China.
The source of the hack might be, but servers that hold sensitive data are typically firewalled so that they cannot talk directly to home computers in Poland or China. You have to get control of a computer that can talk to both. That is the source that will be recorded in the server's event logs you'll be looking for - the initial ingress point into the internal network.
Makes isense, but that many intrusions were short.
There's no "magic bullet" that will stop every type of intrusion. Things like requiring minimum password lengths and complexity, and periodic changes are basic good practice that will help protect against many known types of intrusion. Network security always starts with the assumption that the system can be breached and may already have been.
You seem to be punting on the probing for passwords. The thing to understand is that when a password system is implemented securely, as are more and more these days, there is no probing. There is simply a secure channel for entering the password (e.g. https) and a password hash comparison. There is no place or moment to probe for passwords since they are never cleartext or unhashed except momentarily in some server software which is easy to implement securely.
Things like requiring minimum password lengths and complexity, and periodic changes are basic good practice
Simply put, they are not. My 30 year old, relatively short and simole password is perfectly adequate for what I use it for. I run numerous servers using that password. The security of the ssh authentication is 100% indpendent of password size and complexity. An attacker can steal my salts and hashes and perform a brute force attack. But to do that he would already be in the server and can set up his own account or install a back door for access.
OTOH, I just looked at my logs and I have numerous probes hitting many potential weaknesses. Password complexity, length and changing interval protect against none of those. One injects "cat%20/var/www/secret.passwd" another looks for "...../../../../../var/tmp/voip.cfg%20%26...", etc. In contrast my server with the crown jewels has absolutely no probe attempts in any logs and the reason can be seen by typing "sudo iptables -L"
All probing attempts are obvious including the attempts to find the obfuscated ssh ports. The number of password tries is limited to three and then the attacker will have used up an IP address. Suffice to say my password is not going to be brute forced from outside.
There are two choices to getting my password: from outside by keystroke logging on my laptop, or inside by getting in via a vulnerability. Password complexity and length does not add any protection against either of those. Password changes are only going to stop the attacker within about a month or two. In the meantime the attacker will have the prior password. A month or two is certainly long enough to get what he wants.