This assumes that it is known that the password is four random words. The security of this method hinges on the fact that that information is not known.
That's not the case, though. Even knowing the general manner in which the passphrase is constructed, if the four words are randomly selected then the best an attacker can do is to brute force the space of 2^44 possible phrases, which is difficult enough to be considered secure. The very same can be said for the seven-character random password: the best an attacker can do, knowing how the password is constructed, is to brute-force a space of about 2^46 possible passwords, which is secure enough.
And this must be true in order for passphrases to be a reasonable choice. Because if people start using passphrases commonly, then this formulation will immediately be added to password cracking toolchains along with all the other common types of password.
On the other hand, the passphrases's actual "entropy" is probably lower than the advertised 44 bits, because patterns like the appearance of an adjective ("correct") before a noun ("horse") are common enough in the English language that they, too, could be factored into a smart password cracking tool.
Exactly. In a thread about "900gage!@#" being cracked in a few hours[1], this same discussion came up. It's worth reading for those who are wondering about passphrases vs. complex passwords.
This is, again, not about a random password, as moxie explains in that thread. And as he continues, with regard to the comic: "I think that's totally on the right track, but if people start to do that, chances are that they'll start to create exploitable patterns again".
Any password cracker smart enough to exploit the patterns in "900gage!@#" is also smart enough to exploit the construction of an English language passphrase. The passphrase is still secure enough (probably), but it is not more secure than the random password. And if there is any one thing to take away from that thread, it should be that it's foolish to assume the obscurity of your passphrase's formulation gives you any extra security whatsoever.
Thanks for your reply, Niten! Sorry, I didn't mean to imply that "900gage!@#" was random, but many people would (wrongly) consider it complex. Users who are not generating and storing random passwords (with KeePass or the like) may make safer password decisions when thinking in terms of a phrase rather than a "complex" word. Of course, they'd be far safer still by using a good password manager and long, truly random passwords.
And this must be true in order for passphrases to be a reasonable choice. Because if people start using passphrases commonly, then this formulation will immediately be added to password cracking toolchains along with all the other common types of password.
On the other hand, the passphrases's actual "entropy" is probably lower than the advertised 44 bits, because patterns like the appearance of an adjective ("correct") before a noun ("horse") are common enough in the English language that they, too, could be factored into a smart password cracking tool.