I'm oversimplifying a little to keep from wiring a whole book

basically a dictionary attach we take a bunch of known words, we just break the password down smaller and attach smaller words. Say a 9 character password I search my dictionary I check for combinations of smaller words such as appletree, brownpony, applepony, browntree as well a 9 character words. Then since I've used a spellchecker dictionary I have the common misspellings so we check brownpnoy, applepnoy, etc. We also added the hacker speak to our dictionary so we look for br0wnp0ny, @pplep0ny, and of course we did the search replace against our whole spell checker dictionary so we got @ppl3pn0yand br0wnpn0y as well.

Basically I am disagreeing with the statement that simply making a password from four (or most any number) words make it much more secure because it does not. Adding random letters, numbers, punctuation, etc does make it a little more secure.

Usually when I need a password I'll go find a random password generator and I'll have it generate say 10 at a time then choose one or more and merge them. That way even if someone were sniffing the traffic at that instant they don't know which of the 10 I chose.