On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.
The reason being higher security.
But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that’s another topic.
So how is a short password insecure if they limit log in attempts ? If the pw has 5 characters someone can not try all combinations in just 3 attempts.