SSC Editorial: Would a Duress Password be a Good Idea?

Would a Duress Password be a Good Idea? ran on April 21, 2015 in the newsletter. Good editorials should provoke thought and discussion. I rate it as partially successful. I knew when I wrote it that the idea of coercing a password from someone was an edge case that’s easy to dismiss, but those cases do exist, both in the physical and virtual worlds. How I wrote it – that’s a reminder to watch the things that can distract from the message, in this case my example of one way to implement a duress code by changing case on an existing password. Still, a decent amount of discussion.

So what was the inspiration? Many years ago when I worked for my uncle I was one of a handful of people that had what was called “unaccompanied access” to a vault containing more than a hundred fairly serious automatic weapons, meaning I had the combinations, keys, and authorization to open the vault at any time and allow removal of items. I won’t go into details, but we had a method of signaling duress in the case of someone trying to force us to open the vault and that signal would call in the response team. Being granted that kind of trust is a big deal and as Spiderman says, with it comes great responsibility.

It’s not that we don’t take security seriously in IT – surely we do – but because it’s a shared responsibility I don’t know that we look at it quite the same way.