Please educate us as to these elaborate "sophisticated hacker" techniques.

You can either brute force (which any GOOD website will stop dead after certain clipping level is reached, but any BETTER attacker will return to after the lockout period ends - usually via automated means such as a botnet).

You can use a dictionary, which, as you correctly alluded to, will (or should) contain most well-known passwords (such as password1234), keyboard walks (zaq12wsxZAQ!@WSX), and actual dictionary words, including permutations thereof such as "shrivel+evade".

You can phish information to get the actual password (but I'm sure everyone here is too smart for that), or

You can man-in-the-middle and intercept the password hash. Generally this type of traffic is already encrypted with TLS, so unless you've managed to get control of a proxy, or convince your mark to use one you've set up, it involves fairly more than some internet script kiddie is capable of.

IHG as it currently stands is hugely susceptible to brute force. With only 10K possible PIN combinations and an easily guessable member number format, it would be child's play to get a botnet guessing PINs until a successful authentication occurs. Honestly I'm surprised they haven't been hit yet.

At the end of the day, the single best thing that any Joe InternetUser can do is to choose the longest password available that does not include dictionary words or keyboard walk patterns. Good password vault programs such as KeePass can generate one for you.

However, you're still at the mercy of crappy websites with crappy password implementation. I can't stand websites that require a password "no more than 8 characters, with at least one number and one uppercase character"...what is this Windows 95?

Here is a real password with 305 bits of complexity:
N4SFMs"D=(\CR3\b~^=}!GO9/}LTo0`*7!TVP+#'.'X3h0B'(t

And here is a nice illustrated example if some of these words were too big:
https://xkcd.com/936/