In section 5 they talk about generating the passwords, but I think taking them from existing known password databases (excluding those that are within a typo of the real password) would make them more likely to get hits. It would also make them almost impossible to distinguish from the real user passwords, since they would in fact be real user passwords.
