I'm not a touch typist (although I am also not quite a hunt-and-peck typist, either). And using only about 6 fingers (well, I am counting both thumbs in this count, and sometimes I use my other fingers as well) I have no problems typing in my long (40-50 char) pass phrase! However, I am a computer geek (well, I prefer to be known as a nerd, but I have Nerd Pride, so... ;-) Anyways, I have a feeling that Steve's testing was done with non-computer-geek-type people. I.e., secretaries, managers, and high-up muckety-mucks. Is this true, Steve? What was your sample space in your research? My tests were informal. The target was mostly taken from the sci.crypt readership -- I don't deal much with management... The initial tests were on passphrases of lengths from 12 to 20, as I recall. The phrases were created by chosing random words from /usr/dict/words -- and the resulting pass-phrases were exceedingly weird, which may have contributed to folks difficulty in typing them. Not that the scores were bad, but they weren't great. Access was by telnetting to a special port (or was it a special login? I forget). All and sundry are welcome to participate. Anyway, I never had a chance to follow up, since I was distracted by the book I was writing. That's done, and I'm getting back to research (though I'm thinking of starting another book this fall...). Rerunning the experiment, using longer passphrases, is high on my list; there's some chance I'll be getting to it this summer, along with a student who's working for me. (We're currently working on another project of interest to this audience; the paper will be available for ftp when it's ready, though that's still a couple of months off.) --Steve Bellovin P.S. For the record -- I've been a touch typist for >30 years, as appalling as that number sounds. And secretaries are likely to be *better* typists, not worse. My concern for folks typing ability was just that: concern. We don't *know*. We do know that lots of folks aggressively pick bad passwords; it isn't at all clear to me if the problem is typing, memory, or both. Passphrases will tend to exacerbate both problems.