Comment by jerf

'"F34r is the mind killer." as an example, does use replacement,'

This is the sort of thing I mean, though, when I say we don't usually use fully random replacement. 3 for e, 4 for a, $ for s, these things add very little entropy overall because they are so common. We don't really use "symbols" in our passphrases; we use only !@$& probably overall, and those in highly stereotyped situations.

Suppose you know the first four characters of someone's password are "hous"; what's the next character? Big, big spikes around e and 3, maybe a smaller one on E and i/I, then "everything else".