Assuming the attacker knows the the password creation method (and the math assumes the attacker does in the first case), then the attacker knows the word list and the passphrase algorithm.
11 bits per word gives you a grab bag of 2048 possible common words. To guess the password, assuming each word is unique, the attacker needs to try
2048 * 2047 * 2046 * 2045 = 17,540,692,561,920
possible combinations. Initially, you'd think an eleven character password with totally random uppercase, lowercase, numbers and symbols would give you 66 ^ 11 combinations for 66 bits of entropy, but since nobody can actually remember such a random combination, the resulting passwords using these rules are much less secure than that.
Assuming the attacker knows the the password creation method (and the math assumes the attacker does in the first case), then the attacker knows the word list and the passphrase algorithm.
11 bits per word gives you a grab bag of 2048 possible common words. To guess the password, assuming each word is unique, the attacker needs to try
2048 * 2047 * 2046 * 2045 = 17,540,692,561,920
possible combinations. Initially, you'd think an eleven character password with totally random uppercase, lowercase, numbers and symbols would give you 66 ^ 11 combinations for 66 bits of entropy, but since nobody can actually remember such a random combination, the resulting passwords using these rules are much less secure than that.