[dancodes]

Even though that phrase password is 16 characters long, it has the same entropy as a 9-10 letter long alphanumeric random password (according to KeePass' generator). I agree that it's easier to recall, but it's half as secure as a properly random 16 character one.

[dredmorbius]

I've used Debian's xkcdpass to generat 50 sets of 100 million passwords, then then checked for duplicates. The algorithm uses six words and a large dictionary, but otherwise resembles the xkcd original.

There were no duplicates in any of the 50 sets. (About a week's runtime on a fairly modest Intel processor.)

Given that 100m accounts is a fair fraction of the world's active computer users, that's a pretty good start.

(There are further reasons for finding passwords alone insufficient for security, but at least these are strong, and yet potentially memorable, passwords.)