Yes, more words is ideal. The ideal authentication scheme is that the attacker knows absolutely the system you use but it is still secure within realistic time constraints. So using randomly generated words from a sufficiently long list (such as this one https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt ) and as long as the hashing algorithm is sufficiently complex, then you are mathematically protected with a minimum number of words.
For example using a 6 word pass phrase from the above 10000 word list would on average require 5e23 attempts to correctly guess it. For credential stuffing this is absolutely impractical. For cracking a leaked password hash we can figure out how secure it is.
We assume that the service properly salts the passwords, so a rainbow table can't be used. If salted bcrypt hashes are used, a benchmarked 4-gpu rig did ~160 hashes/s, so even assuming a nation-state with 1E9 times as much computing power, we get 1.6e11 hashes/s, so this gives us on average 3.1e12 seconds to crack, which is about 100,000 years. Which means that no-one (pre-quantum) can crack that password.
For example using a 6 word pass phrase from the above 10000 word list would on average require 5e23 attempts to correctly guess it. For credential stuffing this is absolutely impractical. For cracking a leaked password hash we can figure out how secure it is.
We assume that the service properly salts the passwords, so a rainbow table can't be used. If salted bcrypt hashes are used, a benchmarked 4-gpu rig did ~160 hashes/s, so even assuming a nation-state with 1E9 times as much computing power, we get 1.6e11 hashes/s, so this gives us on average 3.1e12 seconds to crack, which is about 100,000 years. Which means that no-one (pre-quantum) can crack that password.