50 characters ? (was RE: Man jailed over computer password refusal

John Wilson tugwilson at gmail.com
Sat Oct 16 16:21:40 BST 2010

On 16 October 2010 08:14, Nicholas Bohm <nbohm at ernest.net> wrote:

> With a key written on a cigarette paper, you can play the game either
> way:  either "It was on my desk when you searched, I haven't seen it
> since, so you must have lost or destroyed it by accident" or "It was in
> the binding of my copy of 'A Midsummer Ramble in the Dolomites' by
> Amelia Edwards, and your search missed it.  As you had my computer, I
> destroyed it after you left."
> The second variant could be buttressed by evidence from an unimpeachable
> witness who saw the paper with a very long and unrememberable password
> on it and saw it destroyed.  The first variant is perhaps more plausible
> as an account of how we amateurs really do things with written records
> of passwords.

OK, here's another variant:

I buy two YubiKey one black and one white.

I destroy and securely dispose of the white one

I use the black one to generate and hold the first part of my
passphrase and manually type the rest in from memory - this means that
I only know a part of the passphrase

I also use the password held in the YubiKey as the password for some
innocuous application to allow me to explain why I needed two YubiKey.

When the computer equipment is seized the YubiKey may or may not be
seized with it.

If the YubiKey is not seized I get the YubiKey to forget the password
(I can do that in front of witnesses)

If the YubiKey is seized I claim that the white YubiKey was used to
hold the password. If the Police don't have it they must either have
lost it or they left it here and I've lost it.

In the first scenario I always tell the truth

In the second I tell a single lie.

In either case the computer logs confirm that I've used a YubiKey
every time I've accessed the encrypted data.

John Wilson

More information about the ukcrypto mailing list