The reason that a long passphrase is more secure than, for example, an 8-character mixed-type password depends on the situation.

For Windows operating systems, there is a particular vulnerability for any password shorter than 15 characters, caused by the way Windows encrypts the password (for backwards compatibility reasons).

For environments other than Windows, it's simply about dramatically increasing the number of permutations and hence length of time taken to crack (actually to automatically guess) the corresponding password. Fundamentally there are five attack types:

1. Dictionary attacks: This involves using a dictionary of all words and proper nouns in a language (typically 800,000 words in English) to automatically test each against the encrypted password. This takes only a matter of minutes on a typical PC.
   
   - See this Wiki entry for more info.
2. Hybrid attacks: This combines the dictionary attack with testing *every* possible character as both a prefix and/or a suffix to the dictionary word (usually one prefix and up to two or three suffixes, such as "XpasswordXXX"). It often also includes common substitutions such as '0' for 'o', '3' for 'e', '@' for 'a' and so on. This also takes only a few minutes on a normal PC.
3. Brute-force attacks: This technique simply tries every possible character in every position in the password. The time taken for this type of attack increases dramatically with the length of the password. Nevertheless, recent developments in using Nvidia video cards as secondary processors has resulted in significant reduction in attack times, making even a previously uncrackable password potentially vulnerable. Note that "uncrackable" really means that it would take an unfeasibly long time to try every permutation - say years or even centuries - but that as processors become more powerful and new techniques emerge, this time will inevitably shorten significantly.
   
   - See this Wiki entry for more info on brute-force attacks.
   - See this page regarding the Nvidia attack.
4. Rainbow table attacks: This is the technique which is pretty much always successful against Windows passwords of less than 15 characters. Once a passphrase of 20 or 30 characters is employed, the LM hash vulnerability disappears and rainbow table attacks are unfeasible due to the size of the tables required for a long NTLM hash (thousands of terabytes).
   
   - See this Wiki entry for more info about Rainbow Tables.
5. Social engineering informed attacks: This involves researching personal details of the user and trying words which may correspond to their interests, pet names, loved ones and so on. This is really a specialised dictionary attack and is usually unsuccessful against a passphrase due to word order, spaces (which are characters as well!) and the wide variety of combinations of words available - contrast "I want a red Ferrari" with "I'd love a red Ferrari" or "I want a Ferrari Enzo" each of which may also include exclamation marks, full stops etc.

Hope that all helps. If you've read this far you deserve a medal! ;-)