How are short passwords not safe on the web?

On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.

The reason being higher security.

But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that’s another topic.

So how is a short password insecure if they limit log in attempts ? If the pw has 5 characters someone can not try all combinations in just 3 attempts.