Yeah, this has been going on for a while. I got one maybe last year of the year before that too, and I think it was already old by then. A good reminder though. The passwords are probably from leaks from other services and they're just guessing you're still using the same email address and password everywhere else because it's a fairly good guess.
What's the max length of a password that's actually used/stored on sites though? Some random sentence might sound safe, but if the site only checks the first 10 characters or so :/ Then try to remember 40 different random sentences for stuff you maybe only access a few times a year. Write it down somewhere safe. There's only 2 (difficult) passwords I remember, the one for my bank and the one for my email, since every password reset request goes to my email. That's the most vulnerable point. That's my Microsoft password now which I also unlock my laptop with every day, so won't forget it. Of course if MS gets hacked :/
Any service that does password security well doesn't, in practice, restrict password length, because the password itself is never stored but only used to calculate a fairly short value. I mean, there might be some really high restrictions, but in practice, you shouldn't run into them. Poorly designed services are another thing though...
Anyway, you'll want to use a different password everywhere. Password managers are what's considered an acceptable solution to 'remembering' all the passwords these days. That way, you only need to remember one password.