[kijin]

It depends on how many words you have in a string.

XKCD's oft-quoted comic uses 4 words. That would be 100000 times stronger than using just 3 words, and vastly superior to your example of a random 9-char password. The article's own example, "golf kangaroo crispy halitosis", also uses 4 words.

I agree with you that long random passwords are the way to go, but even in that case you need to remember at least one password: the master password to your password manager. It would be a good idea to make that a string of 4 or more words. My LastPass master password consists of 5 words with a bunch of symbols sprinkled in between, and my banking password is 4 words in a foreign language.

[pfedor]

The problem is, if you actually choose your 4 words randomly out of the full dictionary, you won't get something like "golf kangaroo crispy halitosis" or "correct horse battery staple". It will sound closer to "capaciously endodermal remast amarantite". The set of words as familiar as "golf", "kangaroo", etc. is much smaller than 100k.

[dllthomas]

It doesn't have to be as memorable as kangaroo, it has to be more memorable than the equivalent (in entropy) number of random characters, which I think is basically any word.

$ wc -l /usr/share/dict/words

99171 /usr/share/dict/words

$ rl -c 4 /usr/share/dict/words | xargs -d\\n

contortionists mocking Alphard soling

$ rl -c 4 /usr/share/dict/words | xargs -d\\n

Toni's dish's mauled spillages

$ rl -c 4 /usr/share/dict/words | xargs -d\\n

expedited tireless interneships tranquiller

$ rl -c 4 /usr/share/dict/words | xargs -d\\n

bohemian rogering unkindliest ayes