I love XKCD but I do not entirely agree with the "correcthorsebatterystaple" password creation methodology.

For straight-up unsophisticated brute-force attacks, where every possible password is tried starting at "a" and ending at "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" -- the esteemed Mr. Munroe is correct.

Most password attacks are far more sophisticated, using dictionaries, precomputed hash tables, and so on. A dictionary attack against "correcthorsebatterystaple" would succeed far more quickly than a brute force attack.