[ivanhoe]

Actually this is not such a good idea, this type of passwords is very easy to break with modern dictionary attacks. Just get yourself a password manager and generate really random passwords. If you really have to remember the password then at least try to mix the words with numbers and non-alphanumeric chars.

[gioi]

Reynold (Diceware creator) says:

"Five words are breakable with a thousand or so PCs equipped with high-end graphics processors (criminal gangs with botnets of infected PCs can marshal such resources). Six words may be breakable by an organization with a very large budget, such as a large country's security agency. Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030. Eight words should be completely secure through 2050."

http://world.std.com/~reinhold/dicewarefaq.html#howlong

[ivanhoe]

This type of estimates is relevant for brute force attacks, it's very hard to estimate how efficient a smart dictionary attack is. It very much depends on the size of the dictionary used for picking the words and if the words are picked in a truly random manner... which I really doubt because people will probably tend to pick short, common words that are easy to spell and memorize.

[vxNsr]

Most websites don't allow passwords longer than 21/30 characters. So getting to 8 words is difficult.

[DanBC]

Please could you link to a modern dictionary attack that makes a Diceware passphrase weak?

The attacker knows that I use Diceware. The attacker even knows that I have seven Diceware words in my passphrase.

It's still a secure passphrase.