[dredmorbius]

I've used Debian's xkcdpass to generat 50 sets of 100 million passwords, then then checked for duplicates. The algorithm uses six words and a large dictionary, but otherwise resembles the xkcd original.

There were no duplicates in any of the 50 sets. (About a week's runtime on a fairly modest Intel processor.)

Given that 100m accounts is a fair fraction of the world's active computer users, that's a pretty good start.

(There are further reasons for finding passwords alone insufficient for security, but at least these are strong, and yet potentially memorable, passwords.)