blicero
Are you trying to post the link to XKCD that I've already posted?
You may be misreading the comic explanation. The bits of entropy that it's referring to, are entirely dependent on the words being chosen at random. Which is what I've been saying.
Random letters, numbers and symbols are within about 70 - 100 character set.
Random words in the English dictionary are the equivalent to a character set of thousands.
Which is why four words can have as good as the entropy of an eight character password.
But again, this entropy bit count is based on being randomly chosen from the set of possibilities.
If the user is choosing the words based on favorite song, book, common phrase, whatever... Then the entropy is meaningless. The attacker no longer has to brute force from the entire set of possibilities, rather the attack will be guessing from common phrases and what they know about the target.
Instead of each word being any word from the entire dictionary, it can be derived and deduced from the previous words and a number of factors. Instead of quadrillions of possibilities, now we have thousands.
For example, if the choice is a seven-word passphrase. A completely random diceware passphrase from a large English dictionary of say 3000 words, will have 30007 (2.187E24) possibilities.
But if the user is choosing the words, not at random, based on some personal preferences such as favorite song, movie quote, whatever.... We are talking about millions of possibilities. Far, far weaker and easy for a computer to go through.
We can simplify this further by thinking about PINs. A six-digit pin has a million possibilities. There's a reason why two-factor codes are randomized and rotated every 30 seconds.
Now imagine if there were no 30-second rotation and the user chose the numbers. They do it based on some important date or phone number. The attacker doesn't have to go through all possibilities but will take advantage of knowing basic information such as area codes, zip codes, birthdays or age of children, etc. Instead of a million possibilities it can be cracked in a few hundred most likely.