I was thinking of a way to generate a password that is easy to remember, but hard to crack, like the famous "correct horse battery staple" suggested by XKCD, also discussed here, and I've realized I've never heard the suggestion to combine words from different languages. Other questions on this site deal with non-English passwords or dictionaries, but they don't consider mixing languages, which is what I am focusing on.
Let's make an example. My native language is Italian. If I translated the last two words and came up with "correct horse batteria graffetta", wouldn't it be a lot harder to crack than the English sentence?
Lots of people have at least basic knowledge of a second language, so it should be easy for them to choose a foreign word. Granted, if their level is low, they are likely to choose very simple words (like "hello", "cat", "dog") which would be easy to guess, and this would be bad. But excluding this case, that is, assuming the chosen words are not completely trivial, would this suggestion work? Would it provide stronger passwords, all else being equal (that is: the total length, the presence of lowercase/uppercase letters, numbers, and other symbols, the entropy...)?
In my opinion the effectiveness of this strategy depends on the attack. If it is purely brute-force (i.e. no dictionary), I'd say it's the same. But if the attack is dictionary-based (as is likely the case), wouldn't this technique thwart many attacks? How many dictionaries are there that combine words from more than one language? I think my example phrase "correct horse batteria graffetta" would be quite hard to guess.
Let's take this approach even further and add one more language. "Horse" in Italian is "cavallo", and in German it's "Pferd" (with capital P, but let's ignore this and keep everything lowercase). Wouldn't "horse cavallo pferd" be even harder? And this is just one word translated in 3 languages, which is probably a very bad idea. Let's take 3 unrelated words: window, shark, apricot. What about "window squalo aprikose"? I think this would be really hard to guess.
Of course, this is "security through obscurity", that is, this method works well if the attacker doesn't know that it is being used. Let's assume the worst case: he is aware of this, and he even knows what languages I speak. Clearly my idea would be mostly ineffective in this case, but still: wouldn't it be better than choosing words from a single language? The attacker would be forced to use a larger dictionary, and his attacks would take longer.
To conclude: I think creating a password by combining words from different languages can greatly reduce the effectiveness of a non-targeted dictionary attack (and possibly thwart it completely). If, instead, the attack is targeted, the benefit is smaller, but on the other hand there is no drawback. Therefore, this method can be seen as an improvement over XKCD's suggestion.
Am I right? Is it a good idea to adopt/recommend this technique, or am I missing something?