Visiting The States? Have Your Passwords Ready

The New Acunetix V12 Engine


There’s been a lot of buzz about this on Twitter, if you’re visiting the states anytime soon you might want to have your social media login credentials handy – as they might be requesting them at the border.

Visiting The States? Have Your Passwords Ready

I find the whole thing rather contrived though as I use 2FA for everything, so they are welcome to my passwords – they can’t log in even with them.

Over 50 human rights and civil liberties groups, nearly 100 law professors and security experts, and lawmakers have launched a campaign against digital searches at the US border.

An open letter condemns recent comments by Homeland Security secretary John Kelly in which he proposed requiring selected non-citizens entering the US to provide the passwords to their social media accounts.

The letter has been signed by, among others, the American Civil Liberties Union, Center for Democracy & Technology, Consumer Technology Association, Electronic Frontier Foundation and Internet Society, as well as a wide range of law professors, internet engineers and security experts, including Bruce Schneier.

“Demanding passwords or other account credentials without cause will fail to increase the security of US citizens and is a direct assault on fundamental rights,” the letter argues.

It warns that the approach would not only invade people’s privacy – including those of US citizens – but also discourage travel to the United States as well as set a dangerous precedent that would likely see other countries institute similar entry requirements for US citizens.

“The first rule of online security is simple: Do not share your passwords,” the letter concludes. “No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.”


There’s some good points made as well with so many sites offering authentication and identity management based on Google and Facebook accounts giving up the access to those gives them the ability to access a LOT of sites and a huge amount of information about you.

The whole thing is rather draconian and Orwellian, sometimes especially since 2016 turned out the way it did (Hello Brexit and President Trump) I feel like I’m living in 1984.

And this kind of stuff DOES not help.

The issue has also attracted the attention of Senator Ron Wyden (D-OR), who sent a letter to Secretary Kelly saying he was “alarmed” by reports of Americans being detained by border agents and being pressured into handing over their smartphone PINs.

“These reports are deeply troubling,” Wyden noted, “particularly in light of your recent comments suggesting that CBP [US Customs and Border Protection] might begin demanding social media passwords from visitors to the United States.”

He continues: “Circumventing the normal protections for such private information is simply unacceptable. There are well-established legal rules governing how law enforcement agencies may obtain data from social media companies and email providers” – rules that require warrants or court orders.

He then asks five questions of Kelly, digging into the legal authority that the Department of Homeland Security (DHS) feels it possesses to demand passwords and asks for stats on how often it has happened.

The whole thing makes travelling to the USA quite unattractive with border agents able to demand your phone PIN code and now your social media login details.

I hope it all goes away when some judge realises this is a HUGE violation of privacy and doesn’t actually make anything more secure.

Source: The Register

Posted in: Legal Issues, Privacy


Latest Posts:


Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.


2 Responses to Visiting The States? Have Your Passwords Ready

  1. sudon't March 20, 2017 at 7:35 pm #

    How do you figure two-factor auth is going to help? They’ll just click “send a text to my phone”, and when the text comes in, they’ll have your phone in hand. If they’ve decided to have a look at you social media, do you think they’ll leave you holding your phone? No, they’ll want your phone’s passcode as well.

    • Darknet March 23, 2017 at 2:13 am #

      Set the 2FA number to a feature phone in your check-in luggage. Or use a YubiKey (also not with you) etc.