The other day, I watched a friend of mine unlock his company blackberry phone so that he could read a message he had just received.

The company uses a BES to enforce a password complexity policy that requires the unlock code to contain at least one digit or special character, and it also enforces a screen lock after only a few minutes, meaning that this friend of mine is constantly having to enter his unlock code to get at his mail.

Because smartphones have stupid little keyboards that are frustrating to use, and because of the password complexity policy, my friend had picked an unlock code that was quick and convenient to enter.

Basically, every digit and special character requires you to make two different keypresses except for zero, which has it's own key in the lower left of the keypad next to the spacebar.

What my friend did was put one thumb on the zero key and the other thumb on the 'p' button, which is in the top right corner, and to alternate keypresses until he reached the minimum passphrase length.

We know that people are lazy and forgetful when it comes to picking passwords - that's why wordlists are so successful. What I hadn't really thought about until yesterday was how frustrating little keyboards like the ones on smartphones could lead to passwords that were strong against the usual wordlists, but which would be very vulnerable to a wordlist that was tailored towards specific keyboard layouts.

I've done some googling on the idea and come up with very little. Surely this is something that others have thought of? has anyone on these forums perhaps read something somewhere that they can point me towards?