[daneel_w]

> Am I missing something?

Sincere efforts in breaking password hashes is something else than a single individual with one GPU at their disposal - it's not the angry neighbor capturing your Wi-Fi traffic or some "randoms" on the dark web who got their hands on a leaked database.

Realistically you will never need to exhaust the full key space (vocabulary), even if the commonly used set would be as high as 10 000. If you refuse to use a password manager and random character strings for passwords then at least don't settle for just four words, because you'll be going for common and memorable words, not something from the fringes of the dictionary. Unlike the case of a bunch of random characters, when picking a couple of words that you can remember easily there's a psychological factor involved which can be attacked, so make it count.