That XKCD comic is good advice. But use a long enough passphrase.

Also, he's being (very) conservative. In other words, he's assuming a very fast password cracker. Roughly speaking, he has a wordlist of ~8070 words, which works out to ~13 bits of entropy / word. Which implies at 3My to crack 7 words he's assuming ~26 trillion (!) password hashes per second.

That's potentially realistic if you're using a fast hash - but you should be using something that's slow (and memory-constrained) for a password hash.

Doesnt the english language consist of 500,000-1,000,000 words?

* http://www.merriam-webster.com/help/faq/total_words.htm

Yes. But most of them are far too close to each other to remember easily. Or relatively not used words.

It's (generally) easier to just use a longer passphrase and a shorter wordlist of only relatively common words.

The xkcd is bad advice. It mentions 1000 guesses per second.

In reality GPU crackers can do 100,000,000,000 guesses per second. https://hashcat.net/oclhashcat/

You need to add another 2-3 words.

The way password crackers work now, it is quite easy to crack passwords that are combinations of words, even with alphanumeric substitution. The best passwords are completely random, and 24+ characters.

This threw me off as well, I think you are suppose to use the first chart if your password was generated randomly and the second chart if you used words. I am not 100 percent sure though.

That is how many time to break the answer to the security question, not the passwords. The security questions have a weaker hashing function.