I generally string my random words together with hyphens. Also, I don't limit myself to "common" words. Any word I know or can easily learn (being a glossophile, I'm constantly acquiring new vocabulary anyhow) is fair game. But this basic approach is how I generate most of my passwords.
For moderate security I use only three words:
(No, these are not actual passwords that I use. But you get the idea.)
For increased security (e.g., for server root passwords), I use four words and/or include one that is unlikely to be in any attacker's dictionary, either because it's an obscure nonce word from something I've read or because I just plain made it up out of whole cloth.
Examples with one non-dictionary word:
It is difficult to properly estimate the technical entropy in this last category of passwords, but given that no common password cracking algorithm is designed to attack it, it's probably overall more secure than the four-dictionary-words variant. A naive algorithm that just treats it as a random string of characters is looking at permutations of 20+ elements, so brute-forcing it that way would take a while even for a small botnet. (If a large botnet tried, that would be detected as a DDOS attack.)
I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).
I'm a network administrator. I have more than fifty passwords in my head. At least twenty of them are more important than your PayPal account.
Sure, for stuff that totally does not matter, like the accounts I create on every random blog and forum on the internet just so I can post some comments, where the dire consequence if someone figures out my password is that they could pretend to be me and possibly fool someone who doesn't know me at all, I just use the same password every time. I must have used that password on three hundred sites by now. It's not secure, but who cares?
For stuff that sort of kind of matters, like accounts on web services that I use for stuff that sort of matters to me, but which have no real value to anyone else, I use a different but only slightly more secure password. (Yeah, it has a non-alphabetic character in it, but it's still not very long.) If anything happens and I lose the accounts, I *can* replace them, although it would annoy me significantly.
Oh, and when I generate passwords that are going to be used by other people I follow a somewhat different pattern, but that's neither here nor there.
For server passwords and stuff, though, I treat the issue quite seriously. For network administrators, paranoia is one of our most important job skills.
If I were creating a password for a high-profile target, such as a federal government site, I'd probably take some medium-length piece of memorized text and use the first letter of each word, e.g., ItpGstofttpamtaivw,bitldhhstubhSwhahoatatwhmtu. (Since this is not a real password that I am planning to use, I'll go ahead and tell you that it's the first two verses of the epistle to the Hebrews, NIV translation. In a real scenario, I probably would have chosen a passage out of the middle of the text, rather than the beginning.) This technique only works if you have memorized a number of long passages of text, but as a former national-level Bible quizzer I'm on that like white on rice. A few more examples, just for fun:
Even if you know my methodology for generating these passwords, they remain strong if the passages are chosen arbitrarily. (Some of the ones above are much better in that regard than others, of course. The fifth amendment is particularly weak, as the Bill of Rights isn't a very long text and is quite commonly memorized, and on top of that several of the amendments are too short to be used.)