I have some understanding of how encryption works - I am also aware of something called brute force attacks, which only requires a sufficient number of data points for verification before they are compromised.

I think the advice about periodically changing passwords is sound.

Going out on a bit of a limb here, but I suspect most of the data being sent in an https session is predictable just by looking at the URL - Anyone with access to the same institution's web page with a different set of valid credentials could see what is the expected content (i.e. the frame/text of the web page). The only varying/interesting pieces are the personalized bits of information.