
Ask HN: How to minimize risk when having to disclose passwords on US border? - shadowbit
The word on the street seems to be that no matter what, you can be asked your passwords if you want to enter USA nowadays and if you don&#x27;t comply the best you can hope for is to be sent back. Until now I&#x27;ve read here on HN mostly some strategies on how to not comply with plausible deniability. But how about another assumption?<p>Assuming Joe<p>* is not a security expert
* doesn&#x27;t know its passwords and uses a password manager
* has 2nd factor authentication enabled (but only) on some of the logins (some tokens, some TOTP, some sms)
* doesn&#x27;t want to deceive or lie to the requester (border agent?) and doesn&#x27;t want to give the agent reasons to detain Joe, confiscate Joe&#x27;s devices... and so he&#x27;s willing to comply<p>how does Joe even reduce risk in his compliance?<p>Is changing all passwords as soon as possible after crossing borders the best risk reduction he can do? (Considering he just gave up a lot of passwords just because he unlocked the password manager it&#x27;s already a pretty exhausting burden IMHO). Maybe having a list of required logins, one could have a separate temporary &quot;vault&quot; of logins just for the required accounts, hence avoiding compromising all other logins (and change the temp vault&#x27;s passwords asap)?<p>What about the 2nd factors? will the software ones require a refresh? How about the hardware ones or the U2F ones (I don&#x27;t think you can refresh them)? Maybe disabling 2nd factors until border is crossed? Possibly even not bring the hardware ones and re-enabling them after crossing with a new one that wasn&#x27;t &quot;imported&quot; while traveling?<p>Thanks for your opinions
======
anndr0id
The strongest advice and one I've heard from several experts is don't travel
out of the country with your phone. Joe could get a pay per use, or have a 2nd
phone to use just for travel.

Changing just the vault password would be useless. I'm unaware of what level
of tools border control has at it's immediate disposal, but they do make a
copy of your phone contents from what I've heard, and passwords can be decoded
from that after the fact. Once you get it back they've already got what they
want.

2nd best to that IMO is set phone to wipe after a number of incorrect password
attempts, which is good security in case a phone is stolen anyway. It might
not be considered "compliance" however, but you'd be handing over your phone
(given ability if stopped to enter wrong password in x number of times before
asked for phone).

But after the fact, being caught in the situation and complying, I would
suggest completely wiping the device, deleting/recreating any account that
isn't essential, changing passwords for all that are and enabling 2FA as
possible.

And non-tech related, carrying the # for ACLU or a attorney written down is
essential for anyone who might be flagged.

