Passwords adapt to hacking technology

One of this week's xkcd comics makes the point that combinatorial passwords (sequence of common words) may be better than holistic ones (semi-random string).  This may be because we're fooled into thinking that a password that is difficult to remember will be difficult to guess.  This turns out not to be the case.  I'm currently thinking about whether combinatoriality would emerge from an iterated learning chain even if the participants were told to give answers that they thought nobody else would give.