say that for each word there are about 2000 words that a person would commonly use
I think this is an extremely low estimate, but OK.
What about capitalization eg “I have a Black hat”? That means the number of possibilities just doubled for each word.
What about punctuation eg “I have a Black hat!” or “I have a tall, black hat” That’s a few possible characters that may or may not be present. With the comma alone we’ve doubled the number of attempts for each word. And the end of the sentence has to be tried with a period, question mark, exclamation point at least.
Without even breaking a sweat, I’ve increased the REAL number of comparisons you’d have to attempt to (6000 ^ 5) * 3 or
I guess the hypothetical attack tool you are talking about would have a complete command of English (and perhaps other languages/words/grammatical errors that might slip in)? I don’t know how it would know what capitalization and punctuation rules make sense to try, or even which words statistically follow other words. I am not sure this attack tool you’re describing A) even exists or B) is possible to create. It’s certainly several orders of magnitude more difficult than a simple “check the next ASCII character in sequence”.
Furthermore, it’s trivial to add words. I could easily change this passphrase to “I have a tall, Black Stovepipe hat!” or enforce a “must be at least n words” rule.
(6000 ^ 7) * 3
This compares quite favorably to your 16 character password nobody can remember “xY6^ui*9uiyrt”