Google allowed 6 character passwords for a while, and didn't expire them when they increased minimum to 8 for google workspace accounts. This has been fantastic, as users can remember their password forever even if its higher complexity (google does a password strength eval). No rotations either.

I'm pretty confident google will pick-up someone trying to brute force a 6 character password. That google will notice connections from new / different IPs or browsers. That's because google asks for my 2FA in various situations but doesn't annoy me by asking for 2FA all the time.

I use one govt system that has something like a 14 character password requirement. For even more security if you don't log in for 90 days your account goes inactive and the password EXPIRES! Very secure you say? Well, to regain access you have to provide the answer to a security question - favorite pet! That's a 5 letter word that doesn't change (and is probably pretty guessable).

Here is another example:

"(b) Information systems must be designed to require passwords to be changed not less frequently than every sixty (60) days." - SBA IT Security Policy - 90 47 4