If you're confused, don't worry; you're in good company; even security "experts" don't understand the comic:

• Bruce Schneier thinks that dictionary attacks make this method "obsolete", despite the comic assuming perfect knowledge of the user's dictionary from the get-go. He advocates his own low-entropy "first letters of common plain English phrases" method instead: Schneier original article and rebuttals: 1 2 3 4 5 6
• Steve Gibson basically gets it, but calculates entropy incorrectly in order to promote his own method and upper-bound password-checking tool: Steve Gibson Security Now transcript and rebuttal
• Computer security consultant Mark Burnett almost understands the comic, but then advocates adding numerals and other crud to make passphrases less memorable, which completely defeats the point (that it is human-friendly) in the first place: Analyzing the XKCD Passphrase Comic
• Ken Grady incorrectly thinks that user-selected sentences like "I have really bright children" have the same entropy as randomly-selected words: Is Your Password Policy Stupid?
• Diogo Mónica is correct that a truly random 8-character string is still stronger than a truly random 4-word string (52.4 vs 44), but doesn't understand that the words have to be truly random, not user-selected phrases like "let me in facebook": Password Security: Why the horse battery staple is not correct
• Ken Munro confuses entropy with permutations and undermines his own argument that "correct horse battery staple" is weak due to dictionary attacks by giving an example "strong" password that still consists of English words. He also doesn't realize that using capital letters in predictable places (first letter of every word) only not increases password strength by a bit (figuratively and literally): CorrectHorseBatteryStaple isn’t a good password. Here’s why.
  Sigh. 🤦‍♂️