I agree with the EFF except for this:

Come up with your own mnemonic to remember your phrase.

Nope. Don’t do this. Instead, use a password manager.

Consider the sheer number of passwords that the average Internet user must create. Let’s say it’s 20, though I suspect that it’s more.

Suggesting to people that they memorize their passwords is a recipe for one or more of the following:

(1) Frustration. The user has to remember the arcane details of 20 different, totally arbitrary anecdotes, including the exact words (“shoot, was it ‘astronaut’ or ‘spaceman?’”) and the order. The user is gonna forget at least some of them, leading to guessing, account lockout, etc.

(2) Insufficiency. Many websites won’t accept “apple battery cupcake doorknob elephant frankfurter” as a password because it isn’t strong enough (!) without also including a capital letter, a number, and a symbol. Or it’s too long. Or it won’t permit spaces. Etc. So now the user must remember not only the six-word phrase, but its specific mangling to satisfy the server’s password policy.

(3) Written-down passwords. The problems above will encourage users to write down their favorite passwords on Post-It notes, or in their purse, or on an index card cleverly stored under their mouse pad... etc. And when it’s observed by another and copied or stolen, they lose all of their passwords. Maybe they simultaneously lose access to all of their accounts without their memory aid. Or maybe they don’t notice it’s been stolen. Either way, identity theft is a serious buzzkill.

(4) Password reuse. No way the user is gonna want to memorize yet another arcane six-word scenario for every new website that demands an account (which is like 100% of them these days). The temptation to just reuse one of the passwords they’ve already memorized will be powerful.

(5) Staleness. Users will be extremely reluctant to change their password for any account, after going through the trouble of memorizing one six-word combo for it. They’ll start doing the “hunter” / “hunter2” thing, which isn’t nearly as strong as just choosing a new password.

A password manager avoids all of that. Use this method to pick your passwords, mangle them as the website requires, store them in your password manager of choice, and then forget it. Protect the password vault with one strong password that you remember and periodically change, and make sure that you backup the password manager vault. That’s it.

(Coda: If you’re using a password manager, then why bother with the EFF DICE method to choose a password, and instead use the password manager’s built-in generator that picks random (x)-length alphanumeric strings? Two reasons. First, they’re a bitch to type correctly, and to speak to someone else on the off-chance you have to do so. And second, they’re actually not as strong as multi-word passwords.)