Pass phrases composed of words have a higher entropy to memorization difficulty ratio. Consider this example: OP's password has upper and lower case letters, and numbers. That's a character space of 26 + 26 + 10 = 62. The password is 16 characters long, so that's a total password strength of 16 * log2 62 = 95.3 bits of entropy. But what about these random words: "light goes consider method page agree what sorry" which I picked randomly from the comments above. If you spent a few minutes repeating them, could you memorize them? If you could, you would get a surprising 228 bits of entropy (that's 10^40 times harder to crack than OP's password). The character space is 26 lower case letters + spaces, so 27 total, but it's 48 characters long. That's assuming the attacker doesn't know the pass phrase is composed of dictionary words. If he does, then he could do a literal dictionary attack. A standard dictionary might have 80,000 unique root words, which is the new "character space". Thus the entropy is 8 * log2 80000 = 130 bits, still 10^10 times stronger than OP's password, and not much harder to remember. For every word you add, you get another 16 bits of entropy, while in OP's password, for every character you add, you get 6 bits of entropy. The interesting thing is that words are not much harder to remember than characters, because your brain remembers both as whole chunks of information. In fact, to get OP's password you need to memorize whole words (plus a protocol) to derive the individual characters when you could just remember whole random words. The only real advantage is that songs/rhythms make things easier to remember. The downside is that he didn't use a random collection of words. If the attacker knows that OP used a meaningful sentence, he could do a statistical attack based on grammar. For example, "let's" is more likely to be followed by a verb, like "light", then by a noun. That greatly reduces the search space.