Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News
      How Amazon outmanoeuvred Starlink in South Africa

      How Amazon outmanoeuvred Starlink in South Africa

      15 July 2026
      Amazon Leo all set for South African launch - From left, Maziv CEO Dietlof Mare, communications minister Solly Malatsi, Herotel CEO Van Zyl Botha and Amazon's David Zapolsky

      Amazon Leo all set for South African launch

      15 July 2026
      SpaceX is the Dutch East India Company of the space age

      SpaceX is the Dutch East India Company of the space age

      15 July 2026
      The internet has a Strait of Hormuz problem

      The internet has a Strait of Hormuz problem

      15 July 2026
      Cape Town's Cue raises R82-million to take AI service agents global

      Cape Town’s Cue raises R82-million to take AI service agents global

      15 July 2026
    • World
      Swingeing jobs cuts at Microsoft's Xbox unit

      Swingeing jobs cuts at Microsoft’s Xbox unit

      6 July 2026

      SK Hynix ends Samsung’s 26-year reign at the top

      22 June 2026
      Google on the hook for what its AI tells users, court rules

      Google on the hook for what its AI tells users, court rules

      15 June 2026
      How Russians juggle VPNs to outwit the Kremlin

      How Russians juggle VPNs to outwit the Kremlin

      15 June 2026
      Amazon CEO flagged Anthropic AI risks to Washington - Andy Jassy

      Amazon CEO flagged Anthropic AI risks to Washington

      14 June 2026
    • In-depth
      AI boom sparks rally, frenzy and fear

      AI boom sparks rally, frenzy and fear

      11 June 2026
      Every plug-in hybrid on sale in South Africa, ranked by price - Lamborghini Temerario

      Every plug-in hybrid on sale in South Africa, ranked by price

      7 June 2026
      What Wi-Fi 8 will mean for wireless networks

      What Wi-Fi 8 will mean for wireless networks

      1 June 2026
      Alfa's electric rebel - Alfa Romeo Junior Elettrica Veloce

      Alfa’s electric rebel

      29 April 2026
      Africa switches on as Europe dims the lights

      Africa switches on as Europe dims the lights

      9 April 2026
    • TCS
      Watts & Wheels S1E7: 'Ferrari's EV breaks the internet'

      Watts & Wheels S1E7: ‘Ferrari’s EV breaks the internet’

      8 July 2026
      TCS+ | How Tracker is turning vehicle data into business strategy - Silvia Schollenberger

      TCS+ | How Tracker is turning vehicle data into business strategy

      1 July 2026
      TCS+ | IBM Bob: an AI-powered 'development partner' for the enterprise - David Spurway

      TCS+ | IBM Bob: an AI-powered development partner for the enterprise

      30 June 2026
      Watts & Wheels S1E6: 'A flawless Alfa and a bakkie that divides'

      Watts & Wheels S1E6: ‘A flawless Alfa and a bakkie that divides’

      17 June 2026
      Watts & Wheels S1E6: 'A flawless Alfa and a bakkie that divides'

      Watts & Wheels S1E5: ‘A Bentley of the bush and a car that swims’

      8 June 2026
    • Opinion
      The author, Fanie van Rooyen

      South Africa can still catch the AI wave – here’s how

      7 July 2026
      The author, Fanie van Rooyen

      The AI utopia South Africa can’t afford

      1 July 2026
      The author, Jannie van Zyl

      South Africa’s broadband future is being decided in orbit, not in Pretoria

      30 June 2026
      The author, Pambos Soteriades

      The pivot South Africa’s MVNOs cannot afford to miss

      23 June 2026
      Brazil's online gambling crackdown is a lesson for South Africa

      Brazil’s online gambling crackdown is a lesson for South Africa

      22 June 2026
    • Company Hubs
      • 1Stream
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • Ascent Technology
      • AvertITD
      • BBD
      • Braintree
      • CallMiner
      • CambriLearn
      • CM Telecom
      • Contactable
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • HOSTAFRICA
      • Incredible Business
      • iONLINE
      • IQbusiness
      • Iris Network Systems
      • Kaspersky
      • LSD Open
      • Mitel
      • NEC XON
      • Netstar
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SevenC
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Telviva
      • Tenable
      • Vertiv
      • Videri Digital
      • Vodacom Business
      • Wipro
      • Workday
      • XLink
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Financial services
      • HealthTech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Policy and regulation
      • Public sector
      • Retail and e-commerce
      • Satellite communications
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
      • Watts & Wheels
    • Events
    • Advertise
    TechCentralTechCentral
    Home » In-depth » Why we should not know our own passwords

    Why we should not know our own passwords

    By The Conversation13 March 2017
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    Since 2009, US customs and border protection agents have been allowed to search electronic devices carried by citizens or non-citizens as they cross the border into America from other countries. More recently, homeland security secretary John Kelly suggested this digital vetting should also include harvesting social media passwords. Kelly’s proposal prompted legal and technology experts to respond with an open letter expressing deep concern about any policy that demands that individuals violate the first rule of online security: do not share your passwords.

    Travellers themselves responded, too, looking for ways to avoid surrendering their device passwords to federal agents. One approach — what we might call the “nothing to see here” method — tries to make a device unsearchable by erasing the hard drive before travel, uninstalling social media apps, letting the device’s battery charge run out or even wiping the device if an emergency or “duress” password was entered.

    The “I’d love to comply, but I can’t” approach involves exotic solutions like installing two-factor authentication on the device or social media account, and then making the second factor (such as a passcode or digital key) available only in a remote location. Retrieving the second factor would require a warrant and travel outside the border crossing.

    These methods are dangerous because they put an already stressed traveller in the position of defying law enforcement at the border, a legal environment that is designed to support the government and not the traveller. Following this advice properly also requires careful execution of technical skills that most travellers don’t have. And the degree of advance planning and preparation required might itself be considered a sign of suspicious activity requiring deeper scrutiny by border officials.

    But it’s tempting to wonder: could computer scientists and software designers like me create a better password system? Can we make “I’d love to comply, but I can’t” the only possible answer for every traveller? In short, can we create passwords even their owners don’t know?

    The unknowable password

    Developing unknowable passwords is an active area of security research. In 2012, a team from Stanford University, Northwestern University and the SRI research centre developed a scheme for using a computer game similar to Guitar Hero to train the subconscious brain to learn a series of keystrokes. When a musician memorises how to play a piece of music, she doesn’t need to think about each note or sequence. It becomes an ingrained, trained reaction usable as a password but nearly impossible even for the musician to spell out note by note, or for the user to disclose letter by letter.

    In addition, the system is designed so that even if the password is discovered, the attacker is unable to enter the keystrokes with the same fluidity as the trained user. The combination of keystrokes and ease of performance uniquely ties the password to the user, while freeing the user from having to remember anything consciously.

    Unfortunately, in our border travel scenario, the agent could demand that the traveller unlock the device or application using the subconscious password.

    A team at California State Polytechnic University, Pomona, proposed a different solution in 2016. Their solution, called Chill-Pass, measures an individual’s unique brain chemistry response while listening to her choice of relaxing music. This biometric reaction becomes part of the user’s login process. If a user is under duress, she will be unable to relax enough to match her previously measured “chill” state, and the login will fail.

    It is unclear whether CBP agents would be able to defeat a system like Chill-Pass by providing travellers with, say, massage chairs and spa treatments. Even so, the stresses of daily life would make it impractical to use this kind of password regularly. A relaxation-based system would be most useful for people undertaking high-stakes missions where they fear coercion.

    And just like with other plans to make CBP scrutiny impossible, this might end up attracting more attention to a traveller, rather than encouraging officers to give up and move on to the next person.

    Can you score security?

    In 2015, Google announced Project Abacus, another solution to the “I’d love to comply, but I can’t” problem. It replaces the traditional password with a “Trust Score”, a proprietary cocktail of characteristics that Google has determined can identify you. The score includes biometric factors like your typing patterns, walking speed, voice patterns and facial expressions. And it can include your location and other unspecified elements.

    The Trust Score calculator constantly runs in the background of a smartphone or other device, updating itself with new information and recalculating the score throughout the day. If the Trust Score falls below a certain threshold, say by observing a strange typing pattern or an unfamiliar location, the system will require the user to enter additional authentication credentials.

    It’s unclear how a Trust Score authentication might affect a border search. A CBP agent could still demand that a traveller unlock the device and its apps. But if the agency couldn’t disable the Trust Score system, the phone’s owner would have to be allowed to hold the device and use it throughout the agent’s inspection. If someone else tried to use it, the constantly recalculated Trust Score could fall, locking out an investigator.

    That process would at least ensure a phone’s owner knew what information federal agents were collecting from the phone. That hasn’t been possible for some arriving travellers, including US citizens and even government employees.

    But the Trust Score system puts a lot of control in the hands of Google, a for-profit corporation that could decide — or could be compelled — to provide government with a way around it.

    So, now what?

    None of these technological solutions to the password problem is perfect, and none of them is commercially available today. Until research, industry and innovation come up with better ones, what’s a digital age traveller to do?

    First, do not lie to a federal agent. That’s a crime and will definitely attract more unwanted attention from investigators.

    Next, determine how much inconvenience you are willing to tolerate in order to remain silent or to refuse to comply. Noncompliance will have a cost: your devices could be seized and your travel could be seriously disrupted.

    Either way, if and when you are asked for your social media handles or passwords, or to unlock your devices, pay attention and remember as many details as you can. Then, if you wish, alert a digital civil liberties group that this happened. The Electronic Frontier Foundation has a Web page with instructions for how to report a device search at the border.

    If you think that sensitive materials might have been compromised in the search, notify family, friends and colleagues who might be affected. And — until we figure out a better way — change your passwords.The Conversation

    • Megan Squire is professor of computing sciences, Elon University
    • This article was originally published on The Conversation
    Follow TechCentral on Google News Add TechCentral as your preferred source on Google


    WhatsApp YouTube
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleSchism tears at bitcoin community
    Next Article Why Facebook is ripping off Snapchat

    Related Posts

    How Amazon outmanoeuvred Starlink in South Africa

    How Amazon outmanoeuvred Starlink in South Africa

    15 July 2026
    Amazon Leo all set for South African launch - From left, Maziv CEO Dietlof Mare, communications minister Solly Malatsi, Herotel CEO Van Zyl Botha and Amazon's David Zapolsky

    Amazon Leo all set for South African launch

    15 July 2026
    SpaceX is the Dutch East India Company of the space age

    SpaceX is the Dutch East India Company of the space age

    15 July 2026
    Company News
    Biometrics alone won't stop AI-powered fraud - Contactable

    Biometrics alone won’t stop AI-powered fraud

    15 July 2026
    How Paratus and Eutelsat are connecting Southern Africa's mines

    How Paratus and Eutelsat are connecting Southern Africa’s mines

    14 July 2026
    Rain supercharges 5G with Huawei

    Rain supercharges 5G with Huawei

    10 July 2026
    Opinion
    The author, Fanie van Rooyen

    South Africa can still catch the AI wave – here’s how

    7 July 2026
    The author, Fanie van Rooyen

    The AI utopia South Africa can’t afford

    1 July 2026
    The author, Jannie van Zyl

    South Africa’s broadband future is being decided in orbit, not in Pretoria

    30 June 2026

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Latest Posts
    How Amazon outmanoeuvred Starlink in South Africa

    How Amazon outmanoeuvred Starlink in South Africa

    15 July 2026
    Amazon Leo all set for South African launch - From left, Maziv CEO Dietlof Mare, communications minister Solly Malatsi, Herotel CEO Van Zyl Botha and Amazon's David Zapolsky

    Amazon Leo all set for South African launch

    15 July 2026
    SpaceX is the Dutch East India Company of the space age

    SpaceX is the Dutch East India Company of the space age

    15 July 2026
    The internet has a Strait of Hormuz problem

    The internet has a Strait of Hormuz problem

    15 July 2026
    © 2009 - 2026 NewsCentral Media
    Built and maintained by Chronon
    • Cookie policy (ZA)
    • TechCentral – privacy and Popia

    Type above and press Enter to search. Press Esc to cancel.

    Manage consent

    TechCentral uses cookies to enhance its offerings. Consenting to these technologies allows us to serve you better. Not consenting or withdrawing consent may adversely affect certain features and functions of the website.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}