[Owasp-singapore] A poll on the popularity of use of duress passwords in applications

Wong Onn Chee ocwong at usa.net
Tue Feb 3 23:21:48 EST 2009


Hi folks,

Will like to know how many commercial applications that you have seen or
developed make use of duress passwords.

For your information, duress passwords are used during times of "duress"
(sorry for stating the obvious), so that limited access can still be
given but alerts/alarms will be sent out silently. This allows some
central body to be alerted and necessary remedial/rescue actions can be
taken.
Of course, the GUI of the application should not provide any indication
that a duress password was entered as the beauty of duress password lies
with its anonymity.

Duress password is especially useful when the authorised user is under
physical threat or coercion.
To protect the authorised user who is under threat, allowing the
authorised user to access the system with a restricted-access, duress
password is a much better option than forcing the criminal to physically
harm the authorised user who cannot give away the full access password.

The use of duress passwords is more commonly found in military uses, but
I will like to know the extend of such use in commercial applications.
And also the reasons why duress passwords are not used if otherwise.

Thank you for your attention.

Regards
Onn Chee




More information about the Owasp-singapore mailing list