Four English words selected randomly from a large dictionary is certainly secure. But it's unwieldy to type 20+ character passwords. I prefer 10-digit random alpha-numeric passwords, although these are hard to remember and type. Best compromise in my opinion is to use a hashing function with a moderately difficult passphrase, e.g., Site_Password = Hash( Domain_Name || Passphrase).