Most of the hand-wringing about password complexity and length is about offline attacks, where the hacker exfiltrates the database.
But even an offline attack isn't as fast as the article suggests if the web site is using best practices. Best practices are that passwords are salted and hashed, and only the hash is stored. So the hackers must know HOW the passwords are hashed (the procedure is different, for instance, the web site can go 20 "rounds" or 21 or any number...the hacker must figure this out or be hopelessly locked out. The hacker will also need to have the salt, which is typically secured separately from the hash. Some web sites use a hash that takes significant processing power, taking pure brute force hacking essentially off the table. Of course if the hacker has access to the hashes, AND has access to your source code to know how you're building the hash (again, source code is typically secured differently or not in the same location as the hashes), then it becomes feasible to start brute force cracking. But before they try that, they'd probably get the guys with non-random passwords (the rainbow table approach). So like most security, physical or computer, if you make it just a little harder for the bad guy to attack you over the guy who's not doing the basics, you'll probably avoid any problems. I use completely randomly generated 8 character passwords with all character sets and am not worried about it. I use a password manager, but this reasonable length lets me type it in if I have to, which I occasionally have to do.