If your Microsoft account is the same as your Microsoft email address, you can just change your Hotmail / Outlook.com password - it's easier! But it isn't always the case: many schools, for example, will make you create a Microsoft account to login into various services, but allow you to use a third-party (non Microsoft) email address instead. In Windows 8 / 8.1 and Windows 10, you can use a "live account" to keep everything synced - something not offered in Windows 7, where you can just change your Windows password with your local account.
On Windows 7, however, your Microsoft account is used whenever you want to download something from the Microsoft.com website. In fact, just looking at the Windows online help files, you may have noticed that the site always checks who you are and goes through the login process before showing you the page. A bit creepy, but that's how it is :) To change your Microsoft password, go to www.microsoft.com/account - it redirects you to the proper country/language.
If needed, sign into your account using your current password. Unlike a Microsoft email address (which ends in @msn.com, @live.com, @hotmail.com, @outlook.com - or a country-specific version of one of these domains), your "Microsoft account" can be tied to any valid email address - even a Yahoo / Gmail / AOL Mail / other third-party email provider. That's even more true now that you can use your primary email address to log into Windows 8-10.
Once you see the landing page, click on the "Security & Privacy" link on the right of the main links. Click "Change password" on the next screen. Your Microsoft password is case-sensitive, so makes sure that Caps Lock is off, and pay attention to your capitalization! And while you're at it, you can change your name, profile picture, and other personal information by clicking on the "Your info" link at the top - some of that can be done from Windows itself.
Because your Microsoft account becomes more important by the day, you should enable two-step verification ("two-factor authentication"). The first time you login to your account from a particular device or web browser, you have to enter a special code besides your password. Combined with single-use sign-in codes, no-one can sign into your account with your password alone. Better do that now that you don't need it, than try regaining access of a hacked account!