The fact that you remember the one from a videogame, makes it seem like that would be a good candidate password for this purpose. If it's used to wipe the data (which is backed up), then it shouldn't need to be as secure as a regular password. In fact, it might be preferable to be less secure so that someone trying to brute force would hit the duress password first.

If we're talking about the specific case of duress passwords, sure. Although in that case the better defense against brute forcing is to wipe the data after too many failures. And at some point you might as well just put a "self destruct" button on there and skip the need for a password.

"the better defense against brute forcing is to wipe the data after too many failures."

Is it though? I thought some intelligence agencies have the ability to bypass the tries counter. In that case, the password would still trigger the wipe. That's not as easy to defeat because they don't know what password to avoid during the attempt, as opposed to knowing that after 10 tries it will wipe.

Maybe, but you'd have to be there to type the password, in which case you could just get it wrong a few times and you'd be in the same place.

If you get it wrong a few times they hit you with a $5 wrench and/or you go to prison for obstruction of justice.

How can you go to prison for obstruction of justice when files are encrypted with passwords you dont know?

In the 90's I had a Visual Basic addon which was an AI that monitored the keyboard typing pattern. It could identify who was typing at the keyboard, so you could use it as a backup to lock the system if someone had discovered the password. That app could also be used to encrypt files independently, and only decrypt files when the typing pattern matched the username and password.

Not the only thing which could be used to decide if someone is the genuine user, some users might have tic's like tourettes, but involve unusual mouse movements or clicks. Or they could be things like having to switch on the NumLock on a keyboard in order to type in a numerical password. These are all very subtle behaviours which might not be spotted by someone after the password to get into a system.

Edit So windows has had AI built into its gui since at least Windows 200, really noticeable in XP, its the benign sounding Mouse Properties "Enhance pointer precision", but this can also be used to work out who is using the windows GUI by comparing the operation of the GUI, things like do windows get resized or maximmised, do some programs tend to be use on a particular monitor (if a multimonitor setup), and how on target is the user when closing a window, ie where do they consistently hit the big red X close button in the top right of a window and how quickly do they do this. All this is meta data to further workout who is actually using the computer or not. Linux AFAIK doesnt have this so you have more privacy with Linux in some respects.

Most countries have key disclosure laws[1] which require you to provide keys or passwords to law enforcement. Not being able to remember the password is not a defense unless you can somehow prove it (which is impossible), and people can and have gone to prison for this[2].

[1]: https://en.wikipedia.org/wiki/Key_disclosure_law [2]: https://www.reuters.com/article/uk-britain-security-password...

Its not a case of not being able to remember the passwords if an AI is the only entity that knows them's. Technicality of law.

As for people going to prison I know how fascist the UK state can be, I've had it all my life since primary school and they go on about the Uighurs in China! LOL. Reminds me of the IRA petrol bombs and the Ukrainian Petrol bombs going on today.

I've had court request letters telling me to go to the wrong courts in the hope they can convict me of speeding in my absence, if I wasnt aware of court procedures which isnt my day job.

I'm well aware you dont run a country by being nice.

Isn't enhanced pointer precision on windows just mouse acceleration? Even stretching the definition, it's certainly not AI or AI-adjacent

In XP, when doing some repetitive stuff which meant moving in and out of a number of windows, I noticed (saw with my own eyes) there were times I hadnt actually clicked on the window close button in the top right of the window but the mouse pointer just fell short of the close button and yet it still closed the windows.

If you use Linux, you'll see how twitchy the mouse pointer is compared to windows.

Destruction of evidense, the same as if you had burned papers.

Russian government is stopping people on the street, demanding to see their phone contents. If you can show a fake profile, you are safe. If you wipe data, you might be beaten, tased and jailed.

You didn't get a burner smart phone once Apple and Google added covid trackers?

Wiping is the simplest and dumbest use of the ability to use passwords, or indeed the whole name + password pair, as essentially a command prompt.

Have some imagination.

I was responding to a comment that said "[i]f it's used to wipe the data...". If you read my original comment, I was specifically avoiding that particular topic because I knew it wasn't what you were discussing. It's pretty frustrating how all of these replies are acting like I introduced duress passwords to the conversation.

It would be really annoying if my cat could wipe my hard drive just by walking on the keyboard when I'm in the bathroom.

To be clear, I'm not really endorsing that approach, just saying that it's probably more effective than making "sexgod123" a secret land mine password.

I turned off my auto wipe (number of tries) because of my toddler.

Had a work phone where that wasn't an option, when my kids were little they'd grab the phone and blackmail me with a wipe. Kind of funny but also a pain in the ass.

Doesn't it take hours of wrong password entries before a wipe? The delay between attempts gets longer and longer (at least on ios), you can't just quickly tap in loads of wrong passwords and wipe an iphone in a minute.

In my situation the company requires wipe after 5 or 10. I don't remember how long the timeout was but being blocked out of your work phone while you're oncall is also a massive pain in the ass.

Duress passwords aren't there to stop brute-forcing, they're there to save your life in the event of wrench-based cryptoanalysis [0]. Think "log into this system or I shoot you". Using a duress vs regular password should look identical and give away as much information/access as you can afford so your odds of being found out (and subsequent shot) are as low as possible.

Even if configured as sef-destruct (in cases where you value system security more than your life), it's still better than a basic panic button (ideally you want both). You can point a gun at someone and tell them to keep their hands away from a button, but eventually you'll need to have them open a locked door for you and in that moment they are free to type anything on the keypad, be it "open door and call the cops" or "blow up the whole building" and you won't know what they typed until it's too late to stop them.

[0] https://xkcd.com/538/

I'm aware of that, which is why the comment you're replying to suggested that duress passwords are not a good defense against brute forcing.

True. I think that's mostly an edge case though. The vast majority of the time it's the police forcing a person to unlock a device.