Using a multi-word “passphrase” instead of a password has been suggested for decades as a way to thwart guessing attacks. I’ve mentioned it on Sciencetext numerous times. The idea is apparently making a more widespread comeback not least because it’s easier to type words than character strings on mobile apps. Unfortunately, the actual security when faced with an offline attempt to find a password is not quite as high as we hoped, according to new research into the randomness of passwords and passphrases.
That said, for most systems a hacker does not have the opportunity to try millions of combinations one after the other to break into your Facebook or Amazon account for instance. So, I’d suggest that a five or six word passphrase is still going to be tough to crack in a real online situation. But, I would caution that if you’re using such a passphrase you might like to mix and match upper and lower case letters and add a few non-alphanumerics to the string to make it more pseudorandom, just in case.