Does alien injected code in index.php mean somebody surely has my password?
No, there are many ways you can get hacked, although if you are running Windows and get a virus then it is possible for that virus to steal your password, regardless of how strong it was. If you log in or use ftp over an unsecured wireless network (Starbucks or Panera, for example) it can get stolen that way as well.
If you're hosting on Bluehost then odds are it is not an insecurity with the server (their servers are underpowered imo, but safe). If it wasn't a virus or other password theft then most likely it would have been a script exploit, which means just fixing the visible hack won't be enough. You should do a complete rebuild of the main site (fresh core WordPress, all fresh plugins) and carefully check the theme and uploads. Also, if you are hosting more than 1 domain on that account you will need to go through the others as well to make sure nothing else was affected.
This shows up in my Malware search in Developer tools and a few other sites. I am unable to find 'argoauto.net' in any searches of my files or my database. Where could this be hiding.
Sometimes code like this will be encrypted, where you won't see it in directly in either the php or the database, and it only shows once WordPress has processed the php. The most common ways are either through using long random looking base64 encoded strings (typically implemented as eval(base64_decode("... snippets), or via a line that starts like this: preg_replace("/.*/e","\x65\x76\x61.