Strictly speaking, you cannot measure the entropy of a password. (Or if you like, you can measure it, but the value is 0.) There is no entropy in a password: the entropy is in the way the password is generated.
This is explained in the xkcd comic: “correct horse battery staple” is just one example, what the password illustrates is the procedure to generate that password. Namely: “four random common words”. The next panel gives the quantification “44 bits of entropy”, which is based on 11 bits per word (i.e. choose each word randomly among 211 = 2028 words). That password generation procedure has 44 bits of entropy, which means that on average, an attacker who knows how the password was generated will need to make 243 guesses to find the password. (On average, the attacker needs to enumerate half the password space.)
The comic does not recommend that you pick “correct horse battery staple” as your password. It recommends that you select 4 random words. The pattern is known, but not the random choices. Diceware is a popular variant of this method: you pick words on a list of 65 words by rolling five dice for each word.
To put it yet another way: there are two aspects in choosing a password, the randomness and the cleverness. The method is cleverness and does not contribute to the security of the password. The randomness makes the password secure, regardless of any cleverness. Cleverness is only useful to make the password easier to type and remember. If you're clever, you only get protection against attackers who are less clever than you.
A method like “pick random words” is easy to quantify because as long as the random choices are independent, the entropy adds up. If you add constraints (e.g. generate something and “smooth it out” to make it memorable), you need to count the number of possibilities that remain and take care if the smoothing can map several different random rolls to the same final password.
Yes, there are tools to check the strength of a password. They come in two kinds. The fast ones apply some heuristics. They don't always get it right, because they have no idea how the password was generated; they tend to favor passwords with clever bits over passwords with randomness. Since they see only the final result and not the generation method, they cannot take randomness into account. For example (picked at random — not in the cryptographic sense) passwordmeter.com tells me that “correcthorsebatterystaple” is weak (25%) and “homechasebogbigamy” (which I just generated randomly with the XKCD procedure) is very weak (19%). Yet if I'd only told you how I'd generated that second password and not what the random choice was, it would take 1000 computers about 3 year to find at 100 attempts/second/computer! In contrast, pass+word1! is rated strong (64%).
The second kind of password strength checker is… cracking software. This gives you the perfect measure of your password against that same cracking software. It doesn't tell you much about other cracking software.
The best way to ensure that your password is secure is to measure the amount of randomness that goes into it. N bits of randomness = 2N-1 guesses needed on average to crack it. Figure out how much you want 2N-1 to be and deduce N.
Exercise: to generate “homechasebogbigamy”, I used a list of 4172 distinct words in alphabetical order and generated each word by taking a random word among the first 2048. Assume that list is public. Does the fact that the list was sorted alphabetically reduce the entropy of the password? Is my claim that this procedure has 44 bits of entropy correct?
