A recent xkcd brings up an important tenet of password strength.
In general, when it comes to passwords:
length > complexity
A site that requires a minimum of 6 characters but enforces complexity is more likely to have some compromised accounts than a site that requires 12 character passwords regardless of complexity. (One caveat: The 12 character password CANNOT be a dictionary word.)
Now, a “problem” that arises with using a random passphrase like “correct horse battery staple” is that if it becomes a standard practice, the cracking programs will be changed to simply pass every dictionary word in combination with every other one.
But this isn’t actually a problem. Say we take a dictionary of 5,000 common words. The number of 4-word combinations would be 5,000^4, or 625 quadrillion. Let’s suppose we pass this through a supercomputer capable of one million attempts per second. It would still take about 20 years to go through every combination. Of course it should find the correct one sometime before then, but nevertheless it’s a difficult task to pull off.