Assuming the words are not repeated, this would give a total number of possibilities :
$N(L) = \sum_{i=1}^L {170000 \choose i}$
No: this is the total number of sets of $L$ words, but the words have to be in order, so the value is actually
$N(L) = \sum_{i=1}^L \frac{170000!}{i!}$.
Furthermore there is no reason not to repeat words: this just makes the passphrase slightly easier to guess. So the number of $L$-word passphrases is actually $170000^{L}$. The number of passphrases of $1$ to $L$ words is
$$N(L) = \sum_{i=1}^L 170000^i$$
The attacker is actually fairly likely to know the number of words in the passphrase, but this doesn't change the number by much.
Doing the calculation, $N(14) < 2^{256} < N(15)$.
Is it then correct to assume that, if the attacked knows the "password" is indeed a passphrase made up of english keys, then the passphrase needs to be at least 18 15-word long in order for it not to be the weaker link in the AES encryption scheme?
Still no, because the cost of testing a passphrase is higher than the cost of testing a key. To test a passphrase, the adversary has to first derive the key from the passphrase, and then test the key. Deriving a key from a passphrase is deliberately slow: it uses a key stretching function.
Just how much slower key stretching is compared to a hash calculation depends on the choice of key strecthing algorithm, on how it's parametrized and on what hardware the attacker has. For brute force on this scale, the cost of hardware design is negligible, and the cost is dominated by power consumption. For a legacy iterated-operation key stretching function such as PBKDF2, the amount of silicon to power for the key stretching is not significantly higher than for AES. It's typical to pick a slowness factor such that one run costs a few tenths of seconds, compared to a few billionths of a second for the AES part, meaning a ratio of about $2^{26}$. With a modern key stretching function that's also memory-hard, the ratio is higher since you also have to power the RAM. I'm going to use $2^{30}$ as the ratio.
This means that in order for AES to be weaker against brute force than the passphrase, we need $N(L) \ge 2^{256}/2^{30} = 2^{226}$, which is achieved for $L \ge 13$.
But… this number is not meaningful! There is absolutely no need for passphrase cracking to be slower than AES cracking, because AES cracking is already way beyond impossible. If passphrase cracking is impossible, but “less impossible” than AES, it's still impossible.
The Bitcoin network uses about 0.4% of the world's total electricity production (source: ≈ 100 TWh/year out of somewhat over 25000 TWh/year) and calculates ≈ $2^{93}$ hashes/year. Assuming you'd get the same number of elementary operations per Wh for passphrase cracking, with the cost factor difference of $2^{30}$ I estimated above, this means that an upper bound for passphrase cracking is $2^{63}$ per year.
So if you want your key to be secure from an NSA-level adversary for a thousand years, you need $N(L) \ge 1000 \cdot 2^{63} \approx 2^{73}$, which is achieved for $L \ge 5$.
At this level of strength against brute force, brute force just isn't a concern. Or rather, “brute force” as in supercomputers isn't a concern. The brute force that is a concern is one applied with a blunt instrument.
![A Crypto nerd's imagination:
[Cueball is holding a laptop, and his friend is examining it.]
Cueball: His laptop's encrypted. Let's build a million-dollar cluster to crack it.
Friend: No good! It's 4096-bit RSA!
Cueball: Blast! Our evil plan is foiled!
What would actually happen:
[Cueball is holding a piece of paper and giving his friend a wrench.]
Cueball: His laptop's encrypted. Drug him and hit him with this \$5 wrench until he tells us the password.
Friend : Got it.](https://i.stack.imgur.com/Wmz3r.png)
Actual actual actual reality: a really motivated attacker will find the passphrase through phishing or, for really careful users and powerful attackers, by planting a camera or planting malware. (Or a combination thereof.)
