[packet_nerd]

You're right that dictionary words are weak, regardless of whether they are long or short. Same applies to anything that can be arrived at by a simple heuristic such as dictionary word + 1, capitalized dictionary word, dictionary word with "@" substituted for "a", etc..

However, outside of the above caveats, it's a common misconception that more complex is more secure. Which of these is harder to crack?

catzzzzzzzzzzzzz

db0mcgn20y64zzn7

Since an attacker is unlikely to arrive at either of these through a dictionary or heuristic, they will take roughly equally as much time to brute force.

When you force users to comply with arcane password policies, a high percentage of them are going to build their passwords in very predictable ways that are easy to code into a heuristic, like replacing "o" with "0" or something. These kinds of changes add no security value and are just extra work/bother for the users. With the length requirement, it's unlikely they're going to think of a dictionary word off the top of their head that is long enough (how long did you have to think about it to get pennsylvania?), and thus, on average, you're more likely to get more passwords that are a couple of words, or a phrase, or something that is a lot harder to dictionary attack. Once you break away from the dictionary, complexity doesn't matter, only length.