The University of Plymouth just published [[ https://www.plymouth.ac.uk/news/decade-of-research-shows-little-improvement-in-password-guidance | a study ]] that states, "Leading internet brands including Amazon and Wikipedia are failing to support users with advice on how to securely protect their data..." One main point that was emphasized by [[ https://techcrunch.com/2018/07/19/surprise-top-sites-still-fail-at-encouraging-non-terrible-passwords/ | TechCrunch ]] is that Wikipedia accepts single-character passwords like “b”. That makes wikipedia.org the only top ten websites not to require a minimum password length. Although Wikimedia doesn't store nearly as much personal information as the other websites on the list, studies like this can give the impression that security isn't taken seriously for other elements of the sites (like credit card donations). Eight characters seems to be a secure minimum password length, used by others including Google and Microsoft.
* [https://www.sciencedirect.com/science/article/pii/S1361372318300630?via%3Dihub paper (paywalled)]