Yes, you’re correct. If you just use random lower case characters each additional letter you add increases the difficulty of brute forcing the password more than just adding a number.

However most people don’t use random letters for their passwords, they use words. Passwords based on words only are susceptible to dictionary attacks (guess your password as one or more words found in a dictionary), which make it easier for someone to crack your password.

Requiring a combination of letters, numbers, and special characters makes it harder to crack because those dictionary attacks are no longer an option and the number of combinations that someone would have to try in a brute force attack dramatically increases.

For example, in a dictionary attack, there are approximately 171k words in the English language. A random eight character password with only lower case has 26^8 possibilities (208,827,064,576). Requiring upper and lower case characters increases this to 52^8 possibilities (53,459,728,531,456).

Adding numbers takes this password to 62^8 possibilities (218,340,105,584,896), and finally special characters is 95^8 (6,634,204,312,890,625). That’s 6.6 quadrillion options, approximately half of which must be tried to brute force.

To your point however, a 12 character random password with only lowercase letters has 26^12 possibilities (95,428,956,661,682,176). So long story short, a longer password is almost always better than a password with more character types.

The best passwords are those that require two or more types of authentication, and when it’s an option, you should always go for multi-factor authentication.