[mistercow]

A couple of problems. First off:

>If instead you use only 16 character password with no dictionary words (i.e. completely random) you have 3.4 * 10^38 possibilities.

You're confusing characters and bytes. If you limit yourself to what can be typed on a typical keyboard, you're looking at a set of 95 characters, not 256. That gives you 4.4E31 possibilities (or ~105 bits of entropy). If you limit yourself to what most password fields will accept, it's more like a set of 75 characters (optimistically), giving you 1E30 possibilities (~100 bits).

Secondly, I'm not sure the comparison is fair in terms of memorability. 7 words will fit easily in my working memory. 16 characters will not. If I have an exceptional working memory, I might be able to fit 10 characters in it, and suddenly we're down to 63 bits of entropy, compared to 77 bits for a 7 word pass phrase, even if we limit ourselves to a 2000 word dictionary. And committing those 7 words to long term memory is still going to be way easier than committing the random 9 character string.

Incidentally, 77 bits is very close to the 80 bits that NIST recommends for the strongest passwords. 63 is quite a long way off.