Database of the other site compromised every site you use that combo on.
Hackers aren't repeatedly trying random passwords on FB's log in page. They've stolen a whole database of passwords, decrypted all of them, and are trying those email -password combos on FB to see if they get a hit.
So, it's more important to use a different password on every site than to worry about how long your password is.