Don’t use passwords without it. There are so many ways for interception or tricking you into revealing them to third parties that you should always consider them as not very secure on their own.
Judging by current databases of pre-calculated password hashes in the most common algorithms (you might take a look at Free Rainbow Tables It is a good guess that a password should have at least a length of 18 characters from the set of upper case and lower case letters and numbers in 2023 to be resistant against massive parallel attempts to crack them. Anything below that should be assumed to be found in a database.
From time to time you will still find applications and web pages with limited sizes of password entry fields. Consider this a warning sign. If passwords are “stored” (which they should never be) and processed correctly, password size should never be limited (or have a ridiculously large limit to protect the entry form from being maliciously overrun). All the other side should ever receive from you is a pre-calculated checksum (“hash”) of your password (e. g. on a web application with front-end programming) or, if the password has to be passed across the network do the calculation themselves. If password length is limited you should expect them to store your password as clear text. Not very clever in itself already – should you really trust them with anything if they are treating your security that serious?