I believed that passphrases were pretty strong. I was probably wrong:
by our metrics, even 5-word phrases would be highly insecure against offline attacks, with fewer than 30 bits of work compromising over half of users.
http://www.lightbluetouchpaper.org/2012/03/07/some-evidence-on-multi-word-passphrases/