Would a Duress Password be a Good Idea?

  • Comments posted to this topic are about the item Would a Duress Password be a Good Idea?

  • letting them configure a second password that would be a minor variation of the first – maybe one letter switched from lower to upper case

    I can't imagine what could pOssibly go wrong.

  • Firstly, if you have arrived at the point where you need a duress password, your physical security is already compromised.

    Secondly, before going down this road, it would be worth considering what proportion of security breaches are due to passwords extracted under duress. I have no data but suspect intuitively that

    it is extremely small.

    Thirdly, I would advocate making a duress password completely different to the proper one, and as

    hopefully it would be used infrequently, it should not change so often as regular passwords.

    It would be important to consider how the system should respond to the entry of a duress password. It may be only a few minutes before the attacker realises the access gained is not full access, at which point the life of the employee under duress may be at risk. The response to a covert emergency alert needs to be in this kind of timescale.

  • Interesting idea, except duress codes don't change behavior of the alarm systems themselves. The alarms are disabled, but the authorities are immediately dispatched to the location.

    An attacker doesn't need to be physically in the same location as a database (or the victim) to access it, so the value is limited.

    Still, some out-of-the-box thinking about security is always a good idea if for no other reason than to stir up some brainstorming.

    ____________
    Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.

  • First of all, the made-for-TV scenario probably wouldn't happen. Family member of not, I would immediately wonder why I'm being asked for a password and not give it to them. That's just a given and makes me wonder why anyone would give out their password. I suppose there are extenuating scenarios where physical harm, hostages, etc. could be involved, but not too many. Like a previous post said, the percentage of breaches that fall into this scenario is a number I would think would be small.

    However, the whole concept of a duress password is a fascinating idea I've never even considered. I would definitely say that the duress password should be completely different than anything real. With Windows authentication, I think it would have to be a whole new account. I'll definitely give this more thought.

    That was a really cool article that got the creative juices flowing. Thanks, Andy.

    Edit: Fixed wording.

  • The whole problem is the "not a national security threat" part of the premise. I might argue even for the national security case as my personal/family security > national security in a biological/psychological sense.

    But for scenarios that aren't likely to lead to physical harm (hacking a bank database, random retailer etc): why would I ever give the duress password? At best it goes unnoticed by the one threatening me and saves the company some money/goodwill. At worse it gets detected and gets me and my family killed. I have little to gain from the best outcome and a lot to lose from the worst outcome. If black helicopters are supposed to descend to rescue me I'm not sure how where the password is being used would necessarily be where I'm being held hostage, wouldn't it be better to just put a GPS tracker on me and a distress button to activate it instead?

    If the data is of such value that my personal security is at risk than the company needs to pay for sufficient physical security to protect me and/or I need a new job: some information is important enough that it is worth dying for but that doesn't mean I want it to be my job to be the one dying for it.

  • The user id + duress password combination should redirect to a "honeypot" server that mimics a production envrionment in such a way that it would take some time for the villian to discover. In addition to containing convincing mockup data and enhanced auditing, it should also immediately trigger an alarm.

    http://en.wikipedia.org/wiki/Honeypot_(computing)

    However, any employee with privilliaged access to the corporate databases should be properly trained in anti-interrogation techniques and sign a waiver stating that they will under no circumstances relinquish their credentials to a hostile 3rd party, even under threat of death. That's really the first line of defense; insuring that key personnel are properly trained and committed.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (4/21/2015)


    ...

    However, any employee with privilliaged access to the corporate databases should be properly trained in anti-interrogation techniques and sign a waiver stating that they will under no circumstances relinquish their credentials to a hostile 3rd party, even under threat of death. That's really the first line of defense; insuring that key personnel are properly trained and committed.

    I hope that's tongue-in-cheek. Other than certain military and similar situations, NO ONE should have to sign such a waiver. Ever.

    On the other hand, this can be useful (it's been proposed for ATM accounts as well, where somone might be accosted by a robbber), but only insofar as the person can pull it off realistically. Most of us cannot, under that kind of pressure, and experienced criminals may not be so gullible.

    There is an an interesting variant on this in the True Crypt package. A volume normally contains encrypted material and randomized junk filler (created by a dummy encryption process). It's possible, however, to create a hidden volume in this 'junk' accessible from a second password, but it's not possible to determine if a second volume exists or not. How well can you bluff?

    ...

    -- FORTRAN manual for Xerox Computers --

  • I really can't think of many cases where this would be necessary. Breaking into your home or vault is a time limited extraction. They want to delay response until they have what they want and leave, but they very clearly know that people were aware they were there.

    Hacking into a corporate database loses a lot of its value when you basically announce to the DBA/sysadmin you will be doing it since he is the one you hold at gunpoint. And here you aren't stealing jewels or money. If the goal is malware the company know soon enough they were compromised and work to mitigate. If your goal is destroying data it will work, but you need a scenario where that is the goal and the people are willing to commit a further felony and reveal that they had that goal, exposing a specific motive. Stealing information is more likely as it could already be done in the time window allowed, but even if you get a bunch of user passwords or credit card numbers, having the company immediately aware of the system being compromised effects the value you can get from it.

    On top of which, despite all the money being spend on security, a lot of hackers can get into a lot of companies without ever having to do something so conspicuous and dramatic.

    And I think having the duress password close to the actual one seems like an excellent way to accidentally trip it and cause a panic.

  • I love it. Make a movie.

  • Iwas Bornready (4/21/2015)


    I love it. Make a movie.

    We need an action movie where the hero is a fed up IT guy. It seems like we always get marginalized as supporting characters, or on occasion the villian.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I like the honeypot idea, but wouldn't you pretty much need a full-time sysadmin to maintain it and keep it looking current and monitor it? I guess the honeypot could trip an alert to network control if it goes active. What if Bob has a doctor appointment scheduled after lunch and doesn't come back? We think he just took off the rest of the day, but what actually happened is he's under the control of a bunch of rogue RPG developers and Oracle DBAs intent to do damage!

    At one agency that I was at we had a pretty decent system: our normal workaday account had no admin privilege: normal email, internet access, whatever, that we could do. Our admin accounts had no internet or email access, we ran a VM OS to use them. So go ahead, give up your normal account: it doesn't get them in to the goodies. And if you give them your admin account, they have to have physical access, which normally means that you're screwed anyway.

    I've always thought it'd be cool to have a encrypted list of questions and answers for key personnel accessing critical systems, they have to answer one or two plus a 'prove you're not a machine' question. But we know based on large data breeches and identity theft that even those aren't very secure. So set a team to try to break accounts based on public searches, and if they breech a question because of public data, they get a $50 bonus that the key person has to pay! They'd soon learn how to do better questions and answers.

    I guess you could also do a 'No 'Lone Zone' rule where two people have to enter passwords to grant access to a critical system.

    The scenario makes for a fun movie, and it may have happened in some form, but I think it falls in to the edge case that you just can't realistically defend against.

    They should get Ben Affleck to play the IT geek for the movie version (even though Harrison Ford already did one, didn't he?), he had fun when he did Paycheck.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • The newest security is using USB keys to allow a user to login along with the password and physical access. It would have to be a pretty big payoff to go to the trouble of trying to break all of that. Maybe a war situation or something just below that or one heck of a lot of money.

  • Eric M Russell (4/21/2015)


    Iwas Bornready (4/21/2015)


    I love it. Make a movie.

    We need an action movie where the hero is a fed up IT guy. It seems like we always get marginalized as supporting characters, or on occasion the villian.

    Without explosions it won't sell.

    ...

    -- FORTRAN manual for Xerox Computers --

  • John Hanrahan (4/21/2015)


    The newest security is using USB keys to allow a user to login along with the password and physical access. It would have to be a pretty big payoff to go to the trouble of trying to break all of that. Maybe a war situation or something just below that or one heck of a lot of money.

    The stakes are getting higher. An article I read recently pointed out how cloud providers are becoming a high value target, much higher than any individual company. State and quasi-state actors are now involved (it's not just about credit card numbers anymore), the potential for bombings, or even armed invasion (as in some bank robberies) are feasible.

    ...

    -- FORTRAN manual for Xerox Computers --

Viewing 15 posts - 1 through 15 (of 58 total)

You must be logged in to reply to this topic. Login to reply