From a security perspective there's no need to worry about even 12-character passwords. If you use only alphanumeric characters you still get 71 bits of entropy. That may sound bad, but what's your threat model? Is it neighborhood hackers or war drivers? Even if they had a house packed with 100 threadripper machines brute forcing a 12-character password, it would take them over 500 years on average.
Password Entropy is only one factor that determines the strength of a password and should never be considered in isolation, especially given the natural human tendency to create simple, easy-to-remember, predictable, non-random passwords. By definition, password entropy is just a measurement of its "unpredictability" based only on a given character set and a number of chars used in the string. However, a password entropy value means very little if the password string itself is not sufficiently random. IOW, you can have 2 passwords with exactly the same entropy value where one is much more secure than the other simply because it's more randomly constructed.
For example, the following two 12-char passwords have the same entropy value (71.45) but one would be considered much more secure, complex, and random than the other:
MyPassWord12
M1WdJxTsP2bZ
Ironically, the vast majority of "password strength meters" tend to be extremely inadequate & misleading in their assessment of password strength because they don't take into account the randomness of a string and the raw processing power of custom-made gear. That's why most strength meters would give the same "rate" to the above 2 passwords even though their actual security strength is not the same (e.g. the 1st one is already found in several dictionary-cracking programs).
As a final point, note that research points to very strong evidence that a passphrase (i.e. a set of random "words" that make up a phrase/sentence which would be more human-friendly and memorable) tends to be significantly more realistic and secure for the average person. Thus, the greater the maximum number of chars allowed in a password field, the better chances of creating a unique, memorable, and still secure passcode without the need to resort to short, complex, and hard-to-remember gibberish.
There is no general consensus as to what the ideal passphrase length should be, but the current rule of thumb is that at the very minimum a length of 20 chars is needed to construct a secure string using at least 4 random "words" that should be uniquely personal but easy to remember for the average person. Again, while we humans are not very good at determining true randomness, a longer passphrase has a better chance of being remembered and effectively used than a complex, hard-to-remember password (hint:
xkcd.com
)
Just my 2 cents.
