So 4 common dictionary words used as a password, such as correcthorsebatterystaple, offers around 5,000 to the power of 4 combinations , or around 6×10^14. EDIT: We’re not sure how XKCD got to 2^44, as a brute force of that would take a maximum of around 2 x 10^35 attempts, which we think was the point he was trying to make .
Hmm… xkcd is using a 2048 words list in his example (11 bits per word / 44 bits for 4 words).
Of course it’s more safe to have a long generated password, but at some point you are going to use a “human usable” password (eg. for your password store) and it’s easier to use a “xkcd” password than trying to “cheat” the system by using leetspeak and all the other “recommended” password bs (resulting in just 28 bits as demonstrated by xkcd). A combination of both might be better, tho.