I want to start using a Keepass master password that I can easily remember.
Let's take this sentence: I really hate blue mountains, and let's make it one password: ireallyhatebluemountains.
Is this strong enough as a Keepass master password?
I hear that we should always include capitals, digits and special characters but if this really a requirement?
Let's first establish clearly what should be a common sense truth: A password manager master password is a very high value secret. (This is irrespective of which password manager you are using.)
This is for a rather simple, fundamental reason: this one password, together with the encrypted password database that it protects, essentially allows full access to every account for which you have credentials stored within that database.
Thus, you should ensure that this password has a corresponding level of security. Traditionally, this has led to the use of weird password schemes which have tried to combine the goals of making passwords memorable as well as making them secure. With today's computing resources, that's just not a practically achievable goal with a simple password any longer.
Instead, I like to recommend Diceware style passphrases. (Diceware is similar to the scheme described in XKCD 936, but more explicit on how to gather the randomness. Also, in Diceware, if the generated sequence of words makes sense linguistically, you are actually supposed to start over.) In proper Diceware, you use a random physical process (throwing physical dice) to gather randomness, then convert that randomness into words by looking up the numbers in a list of words. In the specific case of Diceware, you use five throws of ordinary six-sided dice to generate about 12.9 bits (log2(6^5) = log(6^5) / log(2) ~ 12.92481... bits) of randomness per word. While for reasons of physics regular play dice tend to not be perfectly fair (produce every value with equal probability), if this is a concern to you then it is possible to buy "casino dice" that are perfectly fair; however, the error is likely small enough that a single extra word accounts for any reasonable reduction in dice fairness, and you can easily test your own particular dice by making a reasonable number of throws and noting how many times each value comes up (which with perfectly fair dice and a large number of throws should be 1/6 the number of throws, because the dice is six-sided).
Since we normally assume that an adversary knows how you generated your password or passphrase but not the exact input or end result, this means that the adversary knows that you generated it using the Diceware method and dictionary. They might very well even know the length of your password.
Given those assumptions, we can actually directly calculate how difficult a Diceware passphrase is to guess: For a properly generated Diceware passphrase, each word corresponds to something very close to 12.9 bits of security. For a reasonably well generated passphrase using ordinary play dice, this is probably a little less simply because all values are not equally probable.
For a high-value password where an offline attack is a feasible mode of attack, such as that to a password manager, I'd probably want at least 90-100 bits worth of security. 100 bits worth of security using Diceware needs eight words. (100 / 12.9 ~ 7.752, and round upwards.) Since the average Diceware word is about 4.2 characters, and you need a separator (conventionally a space) between them, this means a passphrase giving you about 100 bits of security becomes approximately 41 characters long. (8 x 4.2 characters, plus 7 separator characters, is 40.6.)
For comparison, this is less than twice the length of your example ireallyhatebluemountains (which clocks in at 24 characters) but, as also illustrated by the other answers, is far more secure in practice and not much more difficult to remember. Your example password would essentially need to be generated completely randomly for it to have similar security (100 / log2(26) ~ 21.3 characters to get to about 100 bits: log2(26^21.3) ~ 100.12).
It all depends on entropy as seen in @Yuriko's link but also on a related concept: the basis.
The entropy is a concept coming from thermodynamics. It basically represents the number of possible states reachable by a given system. In practice, in the computer-security realm, it is related to the number of combinations ("states") that exist, that is to say, the number of possible passwords one has to try before guessing correctly.
For instance, take your 23-letter password. Using only the 95 ASCII printable character, the attacker would need to try at most 2e45 passwords to correctly guess it. This value (2 followed by 45 zeros), is directly related to the entropy we are talking about. If that value goes up (because you added one character in your password for instance), the entropy goes up which means that your password becomes stronger.
This is the exact reason why you can hear that people should use longer password, not complex-to-remember ones.
The concept of basis comes from algebra. Without going into much details, the basis represents the available building blocks to represent a system. In practice here, the basis is your password building blocks: the available letters.
For instance, I've just written about "95 printable ASCII characters". This is a basis: to create a password, your are allowed to use letters from those 95 letters. Another basis could be "the 26 lowercase basic letters" or the "52 upper and lowercase basic letters" or "the set of lowercase letters minus 'l' and 'o' with all the numbers".
The basis can be even more complex:
Your password must be composed of a series of existing words.
or
Your password must be at least 8-character long. It must be composed of alphanumeric characters plus ':', ";" or "!". It must contain at least one uppercase letter.
can also be expressed as a basis.
The minimal basis is the smallest basis that can be used to express the password that the attacker wants to guess. In our case, the minimal basis for your password is a set containing your password only. :)
However in the case of a real attack, this is exactly what we want to know. Yet attackers will choose a basis that is deemed large enough but not too large in order to avoid expensive calculations.
Now let's imagine that the attacker uses the basis "all the 26 basic lowercase characters" to crack your password, it would require at most 4e32 (4 followed by 32 zeros) guesses to be sure to get your password. Even at a testing rate of 1 billion passwords per seconds, it would still be quite safe.
Now let's imagine the attacker uses the basis "common english words" (2000), then it would require at most 3e16 guesses, which can be done within a year.
This is one of the reasons why some people still recommend to force the use of a larger minimal base by imposing rules at password creation time. That means that if you are using a basis element (character, word, etc.) that is not included in the basis the attacker chose, he just cannot guess your password. That means that the only attackers able to find your password would need to use a larger basis which will require a lot more time.
Now I guess that you understand the relationship between the entropy and the basis: the larger the basis, the larger the entropy. Said otherwise, the entropy is related to:
(basis size)^(number of basis elements)
The whole point of the XKDC comics is to understand that increasing the basis size is something our brain is not good at: the result seems more random but it is not (and it is generally harder to remember).
To paraphrase what the author already said, take an 8-character password: it will be 2000 faster to try all the possible combinations if the attacker knows that the password is made of "the 26 lower case letters and 10 numbers" than if he thinks there can be any ASCII characters in it.
In comparison, just add 3 extra character to the original password and you already are 20 slower than the 8-character ASCII password.
Most password cracking programs contain a statistical analyser (or the results of previous analysis). The purpose of this kind of code is to adapt or tweak the attackers minimal basis to the human mind and habits.
For instance, most people capitalize the first letter of their password when they have to. This is so common that this is tested in priority. Most people who use words as basis elements tend to create sentences. Some letters are more likely followed by some other letters, etc.
To avoid that and get the maximal entropy out of your password (and therefore the strongest passwords), you need randomness to defeat all these statistical attacks.
This is one thing that your current passphrase lacks.
Basically Yuriko already told you the answer to this question.
Complex passwords are dead for some time already. In fact, I get really mad when some service forces me to use some complexity because it's just useless. You always end up either forgetting the password or with very similar passwords (which is not the same as reusing the same password, which is even worse).
So the bottom line is, it's better to use a simple but longer password than a short complex one. If you want to add some complexity, for example for not using just small case chars, capitalize some of them, for example the beginning of each word (IReallyHateBlueMountains), the first and the last chars (IreallyhatebluemountainS), or whatever other pattern (ireallyHATEbluemountains).
No one would be able to guess any of those passwords with any cracking tool.
For your exact example, "I really hate blue mountains": no, it's not a strong enough password. But probably not for the reasons you think.
It has nothing to do with the complexity of the password, i.e. it is not weak because it lacks capital letters, numbers, special characters, etc.
It is weak for two primary reasons:
Since you're using KeePass, I may as well recommend the WordSequencer plugin for generating your master password. Full disclosure: I contribute to this plugin's development, so I may be a bit biased.
Also important: make sure your database is set up with a high number of key transformation rounds to make it harder on any attackers who may come across your database. The default value is not very secure. A stronger value can make a mediocre password "secure enough", but the default value will cause the same password to fall very quickly.
You need entropy if you want your password strength to me measurable. It is impossible to estimate the amount of entropy in I really hate blue mountains because nobody knows the method that you used to generate it. You could chance that an attacker won't guess how you generated it assuming all attackers that would target you are not as clever as you, or you could use maths to ensure that any clever attackers that want to target you have an unfeasibly large challenge ahead. If you "just thought of it" it is possible it is not really random at all.
Also note, as JPatta points out, if your chosen password happens to fall within the wordlist or character set that an attacker is using, then the entropy is reduced. The zxcvbn "password strength" meter does a good job of showing which word lists and character sets your password can be reduced to, and the amount of effective entropy thereof.
If you want to go for the latter approach then you do this by having lots of password entropy - the NIST recommendation of password entropy is 80 bits.
80 bits in your password would take a determined attacker 54,764 years on average to crack (the link shows maximum time). Remember this is bits of entropy, not bits in the end-result (e.g. a random word isn't the number of bits taken to represent that word, it is the number of bits taken to represent your choice in your list of words). This means that your password generation mechanism should be totally random (the human brain is not random enough for this, although a cryptographically secure random number generator is).
If you want it to be memorable, use a scheme such as Diceware. For this you need 7 dice words (each word is ~12.9 bits of entropy).
