The current largest danger, when it comes to passwords, is offline attacks on compromised databases, your computer, etc. Online attacks are much less of a problem because the server can (and hopefully does) throttle the number of times you can try - if you're limited to 100 tries, then it's pretty easy to create a password that won't be in the first 100 things a hacker will guess.
For offline attacks, if the password is stored using something relatively insecure like SHA256 (which is not compromised, it's just too fast), it's very inexpensive to make billions of guesses per second against a hash like that. They'll go through a list of the top 10 million most common passwords, then start iterating through lists of combinations of common dictionary words. Most password cracking software is very smart and will try all kinds of substitutions.
Assume that "Forgive" and "her" are in a dictionary of the 2000 most common words. Trying all 2-word combinations would be 2000^2 = 4 million guesses. They try with and without a special character (including a space) between them - assuming say 15 different characters, that's 60 million guesses. Try it with the first letter capitalized and uncapitalized, then also try each word alternately in all-caps (multiply by 5) 300 million guesses. Let's assume that each word, using common "1337" substitutions, has an average of 10 alternate forms - that's 3 billion guesses to cover the entire space of the 2000 most common words with all kinds of variations. On average your password will be about halfway through the list, so say 1.5 billion guesses to get there. If you used a $50 GPU, this would take maybe 10-20 seconds to complete. If you used ASICs designed for mining bitcoin, it would take much, much less than a second.
Of course, the attackers might try other strategies. If they used a pure brute force, they'd never get to Forgive@her, but password cracking has gotten a lot smarter than that. You're basically taking a risk that this strategy (which is actually a subset of a more commonly used strategy) is not known by the hackers, because if it is, you'll be cracked very, very quickly.
Best practice in password strategies is to assume that the hacker knows your exact strategy and calculate the entropy of the password. The best "bang for your buck" is fully random, random-case passwords with all special characters possible. Assuming a 96 character set, a 12-character password like that has about 10^23 combinations, so even making 100 trillion guesses per second would take 200 years. If you want to use words, effectively case insensitive, you'll probably need more characters (but fewer words) - a password of equivalent security drawn from a pool of 10,000 words would be 6 words long. You can obviously use a mix of strategies to get the balance you'd prefer.
For offline attacks, if the password is stored using something relatively insecure like SHA256 (which is not compromised, it's just too fast), it's very inexpensive to make billions of guesses per second against a hash like that. They'll go through a list of the top 10 million most common passwords, then start iterating through lists of combinations of common dictionary words. Most password cracking software is very smart and will try all kinds of substitutions.
Assume that "Forgive" and "her" are in a dictionary of the 2000 most common words. Trying all 2-word combinations would be 2000^2 = 4 million guesses. They try with and without a special character (including a space) between them - assuming say 15 different characters, that's 60 million guesses. Try it with the first letter capitalized and uncapitalized, then also try each word alternately in all-caps (multiply by 5) 300 million guesses. Let's assume that each word, using common "1337" substitutions, has an average of 10 alternate forms - that's 3 billion guesses to cover the entire space of the 2000 most common words with all kinds of variations. On average your password will be about halfway through the list, so say 1.5 billion guesses to get there. If you used a $50 GPU, this would take maybe 10-20 seconds to complete. If you used ASICs designed for mining bitcoin, it would take much, much less than a second.
Of course, the attackers might try other strategies. If they used a pure brute force, they'd never get to Forgive@her, but password cracking has gotten a lot smarter than that. You're basically taking a risk that this strategy (which is actually a subset of a more commonly used strategy) is not known by the hackers, because if it is, you'll be cracked very, very quickly.
Best practice in password strategies is to assume that the hacker knows your exact strategy and calculate the entropy of the password. The best "bang for your buck" is fully random, random-case passwords with all special characters possible. Assuming a 96 character set, a 12-character password like that has about 10^23 combinations, so even making 100 trillion guesses per second would take 200 years. If you want to use words, effectively case insensitive, you'll probably need more characters (but fewer words) - a password of equivalent security drawn from a pool of 10,000 words would be 6 words long. You can obviously use a mix of strategies to get the balance you'd prefer.