Which says "Our work suggests that multi-word passphrases have some promise as a means to improve security over traditional passwords".
They also mention that predictable patterns can be traced...

Language is SUPPOSED to be predictable and understandable because it's meant to convey ideas swiftly and unambiguously... which constitutes the root of the problem.
Here are a few ideas:
1* Different languages. Are hackers going to sic their Polish dictinaries against me ? The English ones ? Both ? If so - one after another or jointly ? Are they seriously going to plow through every conjugation and declension ? From "niemaniebieskiejkrowy" to "widziałemniebieskąkrowę" ?
2* The first text suggests that verbs are commonly typed with adverbs and nouns with adjectives... Something like "forevermayonaise" would stump them ;P.
3* Short, two-word passphrases were mostly discussed in both articles. As soon as we move onto longer ones, the number of options increases staggeringly.
4* What about people who use technical or uncommon terms (for instance: "Dasein")? If anything, their passwords should be cracked as the last ones. Both texts assume that ordinary people use ordinary words to create predictable phrases that can easily be cracked... What about people who have a broad range of linguistic assets they can utilize and aren't afraid of doing so ? In other words - what about non-idiots ?
5* If my passphrases are like the dreams of a schizophrenic, what hope do people really have of finding them in dictionaries ? Would "" work ? Well known, still absurd. What are the chances of [url=http://www.youtube.com/watch?v=9nQW6Kle_S0]"plazzformer" getting cracked ? Well - there's an online source for that... How about my RPG characters ? Very memorable names TO ME, not dictionariable. You could argue that some MAY be found if a person read all my email, chat logs or broke into my house and read through every sheet of paper around, fine... How about the frankensteinian mostrocities that came to be through years of being in the blender of my and my mom's mercurial minds ? Only exist in spoken language, eldrich and bereft of outside-wordly connotations, only known to two people. Well, I guess there are keyloggers and spy-cameras for such instances ;). Then again...
6*...if people want my password THAT much and they'd be willing to go through hours of attempted pattern-matching, masking, mixing and brute-forcing... You know what ? They can have it. Screw them. I can invent a new one. I'm not a secret agent, I don't have anything worth getting hand on...
7*Not to mention that for things that MATTER there are the good ol' three degrees of verification: something you are, something you own and something you know. As long as I get sent verification codes to my cellphone, and THAT doesn't get intercepted, I should be fine.

A shame this didn't happen while UbiDRM was at its peak. Ubishit might have taken it as a hint.

Just to be clear about this, I'm saying this as a Ubi account holder.

My baby was left vulnerable when Uplay, without my consent, installed a plug-in for my browser which enabled anyone to have their way with my machine. Shortly after this became news, I got a security warning and it turned out I had a bunch of root-kits burrowing into my darling. Until this I had had no problems no virus', everything had been peachy between us. I do not think it is a coincidence that my computer was fine and virus free right up until the very week that Uplay did another oops with their security. Of course I have no proof, how can I? I'm no computer security specialist, but it is too big a coincidence to deny in my view. I had to completely reformat and reinstall everything on my PC. I only had Uplay because I am a huge HoMM fan, and I had to get it to play #6, big mistake. It took me months to get reacquainted with my baby and to get past 1st base again. :(
:P

Have asked them questions on their forum, this 16 character limit is really confusing me. I could believe that a dev decided to limit it to that because he thought he should, but it seems strange that ubi are not just changing it to a larger value. I suppose it must be the overhead of getting a uplay update synchronised with a forum update.

He hasn't responded to my second question. Refer me to support and I will demand that support are referred to me! In this case, everyone else too.

It does pose an interesting customer service question - why is it that companies tell people to contact support? Surely if you've got the issue, and someone in the company knows that's an issue, they should get support to contact you? I assume it's the standard hoping they'll go away, but it could promote an interesting positive support approach in the more support friendly companies (places like Apple that aren't actually support friendly, but pretend you're important, and could therefore proactively fob you off).

Limits on password length can point to passwords being stored improperly. If the passwords are being properly hashed then the output should be a set number of bits, regardless of the length of the plaintext password. I don't know enough about the tech involved to be able to say if a 16 character limit points to any particular type of improper password handling, but short limits like that always make me very, very suspicious.