[fexl]

Right, the use of numbers is not necessary. For example, I could publicly advertise that my password for a particular site consisted of exactly six words chosen randomly from the word list at http://world.std.com/~reinhold/diceware.html .

People would be free to attack it at will, but it wouldn't do much good because that password contains approximately 78 bits of entropy. The attack would be slow enough offline (for example if they somehow possessed a bcrypt hash of my passphrase), but far slower online (if they had to send each guess across the internet one by one).

I could of course cleverly substitute some digits here and there, which would make my public declaration a lie. I suppose some "security through obscurity" can help, though I could have accomplished just as much if not more by simply using seven words instead of six.