[rdl]

This guy has no idea what a dictionary attack is, or entropy in various forms of password or pass phrase. Probably not a great source of security policy advice.

A pass phrase with 4 words chosen from a large alphabet, assuming the words are randomly selected, gets a lot of entropy really fast compared to similarly memorable numeric PIN (6-8 digits, tops). "leetspeak" passwords derived using common rules from rules aren't a lot better than just words themselves, and are hard to remember (I've had to brute force a bunch of variations on my own or for other people when keyboard layouts changed, or when exact punctuation was not remembered).

20000 words in vocabulary, take 4, is 1.6e17 combinations. Dictionary attack that?