Re: Can a grownup, please...?
In fact, I'd say the "CorrectHorseBatteryStaple" cartoon is a rare example of XKCD getting it badly wrong.
The issue is: scaling. The XKCD approach only works because nobody targets it. If we all started doing that, attackers would quickly rewrite their algorithms to crack it (by stringing together random words - "dictionary attack" would take on a whole new meaning), and we'd very soon be much worse off than we are today.
Maths: The average native English speaker has an active vocabulary of about 20,000 words (actually I'd be prepared to bet, a very large fraction of users would choose from a much smaller subset of words - but let's take 20,000 as a base for calculation). If you string four of those words together at random, that gives you (20,000 ^ 4 = ) 1.6e17 possible sequences. That's - not much better than an 8-character conventional password (if assembled from the 92 characters I can easily type from my keyboard, 92 ^ 8 = 5e15). A 10-character password is 250 times more secure.
And sure, you can add random shit to it to make it harder to guess - but once you start doing that, the supposed gain in "memorability" promptly vanishes, and you're left doing a lot more typing to achieve the same level of security you could have in a much smaller field.