[mistercow]

Four words chosen from 2048 possibilities gives you 44 bits of entropy (this is what passphra.se does). If you're being specifically targeted in an offline attack, that won't hold up. But in that very rare scenario, you are already in trouble. A 44-bit password will protect you from attackers trying to harvest from a big pool of stolen hashes, or from attackers bruteforcing the login form on a website. That is not the same thing as "fake security through obscurity".

As for the problem of strong, memorable passwords that can stand up to offline attacks, there is still a gap (a 253 bit password made of 11 bit words would be 23 words long), but I don't think the problem is unsolvable. A project I am interested in working on when I have time is one that produces very long, but memorable high-entropy passwords with rigorously quantified entropy by generating evocative, grammatically structured sentences, using a carefully selected word list and a set of mad-libs style templates.

So to get a ~256 bit pass phrase, you might be left to type out a 50 word poem. It would take effort to memorize, but it would be reasonably doable, whereas memorizing a random 39 character password is extremely difficult for most people.

Moreover, since you'd be working with a limited set of words and grammatical constructs, the password entry form could have robust auto-correction so that typos and spelling errors wouldn't be a significant problem.