Sure, the math often feels like a hype boost, but real‑world attacks rely on guesses, not perfect brute‑force. A 12‑character mix gives you about 80 bits of entropy—enough for most services. If you’re dealing with very sensitive data, keep the mix, but you can shorten it for everyday use if you pair it with a password manager or multi‑factor authentication. In short, the rule isn’t a myth, it’s just a baseline that can be tuned to the risk level.