> attackers shouldn't be able to determine the password even if they know what method you use to create it
Yes, if every user applies a cryptographically sound key generation technique this is indeed the theory. I think Bruce's general point is that if you ask the average punter to string 3 words together the amount of entropy is far from what it looks like, and so the algorithm is not cryptographically sound - you either need longer key lengths (more words), or a new algorithm.
> Why, that's less than a week!
I assumed that he's talking about rainbow table attacks working backwards from a website which has leaked a hash, the issue is not processing time (you only have to generate the rainbow table once per salt), but the amount of space it takes to store the tables.
Assuming most users pick from a relatively small pool of words in common use, it's not an insurmountable search space. Yes, the total search space in theory is pretty enormous but, I suspect many people have a password with "Cat" in, and many more with "Dog", and more than a few with "Password". Hackers only have to skim off the 1% of the easiest passwords to get into a system- not the 1% of the geeks with the uber difficult ones which are hard to remember ;P