I like the appeal (and the book) but I recall, when researching diceware, reading that this is a terrible idea in practice since the entropy is lowered dramatically by using natural language that's already in the public record. Even if they can't put every printed phrase into a lookup table, the probability of certain words following others wrecks the entropy.
Indeed, but for the attack discussed here (someone calls support and pretends they're you) you don't need that much entropy, as you can't test different phrases quickly.
You just need a larger number of random words to reach the same entropy as random passwords. It's not like your random password is made up from secret alphabets!
You seem to be misunderstanding how diceware works. You randomly generate numbers by throwing dice. Every five rolls indexes exactly one "diceware" word. So even if an attacker knew we were using diceware, each word contains
log2(6^5) = log2(7776) ≈ 12.9 bits
of entropy. If you want 128 bits of etropy in your security question field, then just randomly generate 10 diceware words. This is comparable to choosing 20 random printable ascii characters or so.
Since we pick the words by literally throwing dice, English grammar has nothing to do with it.
