In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
You haven’t provided any evidence to support your claim. Online accounts can’t easily be brute forced.
If a hash is leaked you just change the password. As long as you aren’t reusing the same password everywhere you are fine.
How do you know when a password is leaked?
What’s the distribution of variance in brute force protections on online services?
Why would it matter? If they can access the password they probably can access everything else on that service. Just don’t reuse passwords.
If the hashes are leaked and that’s immediately caught and customers are immediately informed, just change your password.