[citation][nom]ojas[/nom]I remember Andrew Ku saying that correcthorsebatterystaple would be the equivalent of a 4-letter password in the the case of a dictionary-based attack[/citation]
Sorry, that's stupid. First, you can't have it both ways. Either you do a brute force attack, or you do a dictionary attack. You can't do both. And sure, if said hacker used a dictionary based attack, it would be a 4-letter password, but four letters out of 10 000 letters, assuming a restricted dictionary was used.
Which is still 10 000 times safer than an 8 character random alphanumeric password.
And if the hacker is using a brute force approach, sorry, it's infinitely safer. I love you guys who talk about dictionary attacks. I've never seen a dictionary attack use several words. They either use single words then switch to brute attacks, or start off with brute attacks from the start. But whatever makes you feel safe...