That only works against basic bruteforce attacks, if you are using hybrid attacks those passwords become easier to crack.<p>What people don't realize that professionals who crack passwords for a living use quite sophisticated techniques using known information about the target, common masks, and patterns makes cracking specific passwords easier than just bruteforcing them.<p>If you use a 300K words dictionary and know or can assume that the paraphrase will be constructed out of 3-5 words the password entropy isn't as large as just thinking this is a single case or mixed case alpha with say 12-16 characters.<p>When dealing with generic password your basic unit is a character so a 16 char password is made out of 16 units each of those has a specific search space single case alpha it's 26, mixed alpha it's 52, single alpha numeric it's 36 and so on.<p>Here you have 3-4 units each has a fixed search space and that's the dictionary you use, the search space can be even more restricted if we can assume certain things about the algorithm that generated the passphrase.<p>If we take the poem example we can assume that words will not appear more than once in the passphrase and that they might need to rhyme this alone can reduce the password entropy considerably.<p>If we take other examples like story based passphrases e.g. "the quick brown fox jumps over the lazy dog" then we can base our assumptions based on what we know of the English language for example that words like "the" will appear at least once in such sentences as well as take some estimates about how many verbs, nouns, and pronouns will appear on average in each sentence based on their common distribution which allows you again to reduce the search space considerably.<p>Passphreases are still great when you need to ensure that your passwords won't be broken in bulk when a breach happens because unless your account is admin@ijustgothacked.com you most likely won't be a target and those types of datadumps are still usually broken through basic dictionary, masked and cheap bruteforce attacks.<p>If you might be targeted directly or phished than passphrases might not offer any sufficient level of protection and could actually be weaker than an annoying mixed-alpha-num-special password.<p>That of-course will change if everyone will start using passphrases if you expect that 50% of your hashed passwords dump is passphrases you will adapt your password cracking techniques accordingly.