1. It doesn't matter if the attack is online or not. If the hacker has your hashed password, then he can get your password from that. The brute force attack becomes feasible because he can run millions/billions of tries per second on your password. (If he does it on a repository of hashed passwords, then the rewards per try are even greater.)
2. The words are in your memory, not in the password. If my password is "agmlpoas", then I can remember it as "all good men like pickes on afternoon sandwiches". The password can be as random as you like.
3. When you have an organization like the NSA devoting tens of thousands of CPUs (or specially designed digital circuits implementing a hash/encryption function) to such an effort, your offline attack becomes feasible (unless you have a lot more characters in your password than most people want to type.)
A truly unbreakable encryption method will make it impossible for an attacker to tell whether he's had success in breaking the encryption. (That's why the one-time pad works: it decodes to a very large number of potentially valid messages.) If everyone's messages were littered with words from the Bin Laden book of anarchy, then the NSA would have a more difficult time knowing who the real bad guys were.