One of the password generation tools -- so long ago I forget which one, but probably 1Password -- generated a password for me, and I loved the scheme it used. I still use a variety of it but now I make them up myself. The rules:

1. Make up a short nonsense word (so it's pronounceable).

2. Pick 3 numbers.

3. Make up another short nonsense word.

4. Concat them with hyphens, capitalising the first letter.

So let's go with...

    Terp-745-mula
    Mang-288-pung

The benefits:

1. Heaps 'o entropy. Need more? Just make longer words.

2. Crucially: really easy to type on an iOS keyboard. You often start with caps on by default, and the dash-number-dash sequence in the middle only requires one use of the symbol shift key.

3. And, of course, fairly memorable.

I still use 1Password and the vast majority of my passwords are 16 characters of truly random nonsense, but for those times that you want a memorable password that you'll actually type quite a bit, this is gold.

---

And now I await the inevitable teardown of this method ... what did I miss? :-)

An attacker that knows your algorithm can restrict the search space to only sequences that follow the algorithm.

That's why when I describe my password generation scheme - which is kind of similar - I never pinpoint it. Oh, and I don't necessarily stick to it as long as the result is a good password ;-)

But yes, entropy is lost if you decide it has to be pronounceable. On the other hand pronounceable is in the eye of the beholder and a it allows me to memorize long sequences of nonsense (up to the point where it gets annoying to type for someone who consequently lock his computer every time.)

For everyone who are just starting to think of this here are some more tips:

- Do store passwords in a password manager! The only reason to memorize passwords is because you need the password for your password manager and your OS and certain other things available even if you aren't logged in to your password manager.

- Use real two factor auth whenever possible. Please be aware though that just adding "sms something" doesn't necessarily make things more secure. A common (AFAIK, and sadly) mistake seems to be to use SMS for both password reset and for the second factor. In this case whoever gets access to you phone for just a moment can reset your password and immediately get a "2-factor" login code as well. (Scare quotes because this isn't 2-factor since one only needs access to one thing, the phone, to get access in this case.)

- Some people will say that using SMS at all is hopeless, but from what I can see they can still make sense in a number of cases: not everyone has targetet attacks from three letter agencies (domestic or foreign) as part of their threat model. More people have - or should have - a point about losing access to login information as part of their threat model I guess.

Diceware is a good method using actual dice.