This is the link to Choosing a Secure Password - Schneier on Security
Bruce has lots to say about best practices for generating passphrases. The section on XKDC, he says,
“This is why the oft-cited XKCD for generating passwords—string together individual words like “correcthorsebatterystaple”—is no longer good advice. The password crackers are on to this trick.”
That was written in 2014. Other back issues give further advances and advice on the subject.
I think that if real words are used in passphrases (and the user knows those words), it doesn’t matter if the word is a four or five-letter word, or a 10 to 12-letter word; if the user knows the word, then the user knows the word and each word constitutes one element to remember. (Remember the notion that people of average intelligence can remember 7 items (+/- 2).
For effective attacks on passphrases composed of real words, if it’s in a dictionary, it also constitutes one element of the passphrase the attacker needs to get correct, and the length of each word is irrelevant to the cracking computer when employing certain attacks.
So… In an attempt to generate a passphrase that is both resistant to some types of attacks, and easy to remember, it seems that the use of a nonsense word among real words (and contains complexity of digits and punctuation) is (at least for now) a reasonable trade-off.
The goal is to make any attacking method as costly as brute-force, which is the only method, given enough time and energy, that is guaranteed to work.