US Court Rules Passwords are Protected Because Testimonial

There’s a part of a new decision that I keep re-rereading, just to make sure I read it right:

As a passcode is necessarily memorized, one cannot reveal a passcode without revealing the contents of one’s mind.

I mean that’s just not true. The old joke about people putting sticky-notes with passcodes on their monitor is because sometimes they are too hard to memorize. The reason NIST backed off complexity requirements and rotations is because passcodes turned out to be too hard to memorize and people were storing them unsafely.

We all recommend password managers and using unique passwords for every site, which is all too hard to memorize. The entire password market doesn’t believe passwords are necessarily memorized.

And then there’s the simple fact that passcode sharing often uses communication channels that rely on storage other than the human mind.

Also beyond being wrong that sentence seems unnecessary to the decision. If this case didn’t have a password written down, despite an accused saying he use one 64 characters long, then it becomes an exception. The fact remains passcodes very often are stored outside the human mind.

The rest of the decision is not terribly surprising

…the compelled production of the computer’s password demands the recall of the contents of Appellant’s mind, and the act of production carries with it the implied factual assertions that will be used to incriminate him. Thus, we hold that compelling Appellant to reveal a password to a computer is testimonial in nature.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.