I tried 24 fresh new accounts, the last 3 are 2 personal accounts and the test at the cannonfire blog post.
Right off the bat, notice we already have a dupe: "lusion", which kind of indicates yfrog uses a very simple and small dictionary.
The next interesting generated words are:
* g[udom], d[udom], t[udom]
Which obviously is "udom" with a variation on the first letter.
A common pattern seems to be that there are variations of prefixes and then the last sequences of the word are repeated.
* gu[ness], na[ness], ba[ness]
* my[ment], do[ment], he[ment]
* lu[sion], zoo[sion] (there's also voot[ion] but maybe that's another sequence)
* jan[ist], tif[ist], gyj[ist]
* jin[ity], batu[ity], jag[ity]
You see the patterns. We're either dealing with a static dictionary, or a very simple algorithm that is at least reusing the postfix part of the word. The prefix may also be reused, if it's randomly putting together strings.
It's pretty scandalous than an app would use an email address for security, but it's even worse that said email address is so easily guessed. In my small test of 27, I got 1 repeat and found many repated substrings. It wouldn't take much effort for an attacker to do this, specially since he/she just has to send a set of these combinations via email and wait for one to hit.
