If there is brute force protection on the login function blocking a username or IP from attempting x times in y hours AND there is a minimum of 8 characters then I can say thats strong protection on the backend. You are much more vulnerable to having your password phished rather than bruteforced.