The point is that an attacker doesn't know what your password looks like, or what kind of passphrase you are using.
Your suggestions are all perfectly valid, but they ignore the most common reason people choose short passwords: memorability. People do not want to have to spend 60 seconds typing their password in because they need to remember (or work out) which numbers go where. A far more memorable way of doing it (and the way I currently do it) is to include punctuation in your pass-phrases, and replace letters with numbers/symbols if they make sense (i.e. e => 3, a => @, etc).
In any case, I'd hold that the sheer number of combinations of all possible words is far greater than the number of combinations of letters and numbers. Think about it; there are 52 letters (upper / lowercase), 10 digits, and probably around 20 or so common punctuation symbols. That gives us 82 characters in total to play with, but let's be generous and hike the number up to 100. Brute-forcing an 8 character password would take at most 100^8 = 10,000,000,000,000,000 attempts. How many possible words are there? The OED estimates almost a quarter of a million, but lets assume our attacker takes out a large number of them, and we are left with a dictionary of 100,000. How many words do we need in a passphrase to generate the same level of attempts? Roughly, 3:
100^8 = 100,000^x
x = 16/5
x = 3.2
Source: http://www.wolframalpha.com/input/?i=100...100000%5Ex
Reduce the dictionary further to only 10,000 words and you only need one extra word in your passphrase in order to meet the same exhaustive search requirements. This is all done without the use of punctuation or altering the words in any way.
Your suggestions are all perfectly valid, but they ignore the most common reason people choose short passwords: memorability. People do not want to have to spend 60 seconds typing their password in because they need to remember (or work out) which numbers go where. A far more memorable way of doing it (and the way I currently do it) is to include punctuation in your pass-phrases, and replace letters with numbers/symbols if they make sense (i.e. e => 3, a => @, etc).
In any case, I'd hold that the sheer number of combinations of all possible words is far greater than the number of combinations of letters and numbers. Think about it; there are 52 letters (upper / lowercase), 10 digits, and probably around 20 or so common punctuation symbols. That gives us 82 characters in total to play with, but let's be generous and hike the number up to 100. Brute-forcing an 8 character password would take at most 100^8 = 10,000,000,000,000,000 attempts. How many possible words are there? The OED estimates almost a quarter of a million, but lets assume our attacker takes out a large number of them, and we are left with a dictionary of 100,000. How many words do we need in a passphrase to generate the same level of attempts? Roughly, 3:
100^8 = 100,000^x
x = 16/5
x = 3.2
Source: http://www.wolframalpha.com/input/?i=100...100000%5Ex
Reduce the dictionary further to only 10,000 words and you only need one extra word in your passphrase in order to meet the same exhaustive search requirements. This is all done without the use of punctuation or altering the words in any way.
