I’m not sure how you expect someone to brute force a web service. It is possible but it would be equivalent to a denial of service. Having long passwords for a online login makes no sense. A randomly generated 12 character password isn’t any more or less secure than a 40 character password since they both take a unrealistic amount of time to brute force.

A 12 character password made up of standard characters would take 475,920,314,814,253,376,475,136 tries assuming you know the length. I don’t see how someone could brute force a web service.

I will say I get annoyed at web services that require special characters since I like to use 3 words from the EFF extended word list.