I take issue with this comic i'm afraid.... hopefully the points have been raised already but i've had this tab open 2 hours without having chance to log in, so not really the time to read 7+ pages
1/ pretty vulnerable to dictionary attacks. OK, they have to stack multiple words, but that still makes the attempts far more trivial. a dictionary with 262144 words represents 18 bits of entropy - or maybe 3 characters in a gobbledegook passwords that includes upper/lower case, numbers, and a small selection of punctuation characters. So your 4 words come out to the same as a 12-character "normal" one. Merely more memorable... possibly. But a hell of a lot harder to reliably type quickly, especially if you're trying to log into something with a smartphone. I've got my muscle memory down pat for the 10 or so passwords (aka 6 main ones with some having variants) that I use, even the longer ones take little longer than a second to input.
2/ Who, in this day and age, implements a log-in system that can check 1000 user/pass combinations a second - and will happily do so for the same account - and has unlimited logins without so much as a captcha, prompt to send a reset email, or just locking it out for a certain amount of time / until the PW is reset after a certain number of attempts? Most of my logins take several seconds, and I'm limited into how many attempts I can make and even how quickly I can submit repeats (assuming the server even responds fast enough for that).
Oh and you don't know how many subsitutions there may be for a particular word, and are missing 2-4 anyway in Troubadour - "b" for "8" or "6" or "B", "T" for "7" (or just "t"), "r" for "2" (or "R"), etc. The actual number of entropy bits is significantly higher, probably beyond 32, and attempts per second hopefully quite a bit lower than 1000. I should think a cracking attempt along those lines, rather than doing something simpler e.g. trying to keylog, phish, or otherwise get hold of details directly, may take the better part of a year, by which point a corporate network will have already prompted the user to implement another regular PW change.
Also, what of the mileage in using foreign words, things from fantasy novels, or unusual proper nouns, etc? I have various combinations of those, along with the substitutions, inserts, etc in my own PWs. Never had any trouble; they're practically unguessable / unhackable unless someone keylogs me (but easy to remember as they were things that either meant something to me - privately - at one point, or were nicked off someone else (then modified) because it was an interesting/unusual pass and they let it slip in plaintext, or was some snatch of random and rather bizarre text I saw on a poster... plus there's the whole muscle memory thing).
Apart from that time Gawker was hacked and their stupidly unencrypted PW database stolen, of course...
(I work at a college, in the IT dept, and even the root users don't have access to the PW database. Only the server's internal processes has access to the unencrypted data of submitted user info and the stored passwords. If someone forgets theirs, or mistypes it enough times (5, in our case, with the third one implementing a 30-second delay before the entry boxes become available again) that their account is locked out, the only option is for them to come to the office along with their campus photo ID card, answer a couple security questions, and have it reset to a random string which they then have to change - to something other than their last 6 passwords - at first login, before they can get access. All this is standard MS Active Directory stuff. The better online services operate similar schemes. The worse ones have unlimited attempts and will send you your forgotten password in plaintext ... but still don't seem to be even CAPABLE of allowing more than one login attempt every couple of seconds, let alone specifically made to allow such obvious attacks)