It is reducing the search space drastically: Word (about 30% of the total length, and might be capitalized) + number (15%) + symbol (1 character) + word (50%).
The search space for a length n is: 2 x 26^(n/3) x 10^(n/6) x 30 x 26^(n/2) = 60 x 26^(5/6 x n) x 10^(n/6) = 60 x 10^(5/6 x n x log10(26)) x 10^(n/6) =~ 6 x 10^(1.17914n) x 10^(0.16666n) = 6 x 10^(1.34581n)
So that's about a 6 followed by 1.5n zeroes of search space for length n, approximately. Using only 100 characters of the ASCII code tables, you have a search space of 10^(2n) possible passwords, which is about n/2 orders of magnitude larger than Haddock's search space.
Disclaimer: I'm a HS student, no crypto folk, so the above might be wrong, but it's basic combinatorial stuff. And that's just theory, in practice, with just "password1", "letmein" and "123456" for a dictionary attack, you can hack into like 3% of the accounts of a site that doesn't use Haddock.
Edit: Oh, I didn't even think of this: THE WORDS ARE ALL VALID ENGLISH WORDS! That makes hacking in a lot easier.
The search space for a length n is: 2 x 26^(n/3) x 10^(n/6) x 30 x 26^(n/2) = 60 x 26^(5/6 x n) x 10^(n/6) = 60 x 10^(5/6 x n x log10(26)) x 10^(n/6) =~ 6 x 10^(1.17914n) x 10^(0.16666n) = 6 x 10^(1.34581n)
So that's about a 6 followed by 1.5n zeroes of search space for length n, approximately. Using only 100 characters of the ASCII code tables, you have a search space of 10^(2n) possible passwords, which is about n/2 orders of magnitude larger than Haddock's search space.
Disclaimer: I'm a HS student, no crypto folk, so the above might be wrong, but it's basic combinatorial stuff. And that's just theory, in practice, with just "password1", "letmein" and "123456" for a dictionary attack, you can hack into like 3% of the accounts of a site that doesn't use Haddock.
Edit: Oh, I didn't even think of this: THE WORDS ARE ALL VALID ENGLISH WORDS! That makes hacking in a lot easier.