Problem with pass-phrases is that people will take way too obvious stuff. (The comic is clearly the exception!) For example, you can expect mouser to use '
I like silly acronyms.' or in kyrathaba's case '
nany 2012 hangman YEAH'.
Or JoTo... '
Thank God It's Friday'.
This is only going to work if people use unpredictable things. For one, you can expect half the xkcd readers to use '
correct horse battery staple' from now on. Or '
import antigravity'. Or other meme-ish catchphrases.
Finally, it pays off to think that mere bits of entropy are not the defining characteristic when discussing password safety and the likelihood that it may be guessed. For example, suppose a user is english. That brings it to 26 letters plus a space character, assuming the random-string-of-words-thing and that people are likely to stick to lowercase. Assume that 30 characters is a good compromise for a password one has to type in, so you get 27^30 = 2.4244 * 10^36 different permutations. Sounds good, right?
Now throw in social engineering. Psychology. User idiocy. Someone looking over someones shoulder and spotting 30 little password characters being typed, or that only lowercase letters are typed. Maybe you think out loud while you're typing! (I wouldn't, but such idiots exist...) Long story kept short: once you are able to glean just a little bit of information about the format of a password, the effective entropy in the eyes of an attack is reduced significantly. Requiring a user to put in one or two odd characters may seem difficult, it prevents predictability and also prevents a brute-force attack that uses dictionary contents as its source from speeding things up. (Think about it: there are far more strings of letters that aren't words than there are actual words.) Likewise, asking for my mothers maiden name isn't a given to gain access to my email anymore; you at least have to figure out what blend of leetspeak I throw at it. (And password recovery schemes with such fixed questions, or equally constrained answers are an equally horrid disaster, but in this case I was implying my email password might be m4rgret.) Or maybe her year of birth. Etc.
While it may be a wet-dream to expect the full 8 bits/byte (=256 'characters') to be usable in a password, reducing it as many password systems do to merely (26*2 letters +10 numbers + underscore + space) = 64 is a security disaster.
Every extra bit of entropy doubles the problem space, and in case of a words and letters you can sooner think in factors of 26 or higher! Even worse, programs/websites half the time demand more than 5 and less than 12 characters. Why not allow 30 characters? All those requirements are little more than a gift for your enemies.
Anyhow, for so far that rant. My point is coming up... Pass-phrases are nice. Digits and weird characters are nice. But seperately, they are weak in the eyes of modern bruteforcing and even social engineering. One is slightly stronger than the other in different aspects, but neither is ideal.
But combining them is damn orgasmic for your security. The xkcd examples would skyrocket in complexity, just try the math for yourself.
