Add support for entering a duress PIN which would open a dummy database. This is important in countries that can require you to unlock databases by law, for example at the airport.
(See implementation in StrongBox Compare Features - Strongbox)
1 Like
You could create a separate dummy BW account and put your fake accounts into that account. Before going to the airport, which is likely not an entirely unplanned activity, you simply log out of your primary everyday BW account and login to your dummy account. You could even lower the security of the dummy account to not use 2FA while your primary account does.
Not sure this is something that requires a development solution that will impact everyone when a process solution works for those with that particular use case/scenario.
If the Bitwarden team is cool people registering these dummy accounts, sure. I guess they can’t stop it (easily).
It’s better to create this feature to show only some selected accounts when entering second password.
Detailed motivation why this feature request is important:
2 Likes
I assume everyone here has heard of cryptocurrency wallets. Some of them have a mechanism that launches when someone tries to log in with a particular password; it either shows the false wallet or deletes the user’s important information.
This is a fantastic tool that enables people to go away from dangerous situations like robberies and other unpleasantries.
Bitwarden is able to add this functionality with a unique master password that either displays a phony vault that the owner previously created or deletes all of the vault data.
The target of a kidnapping or a reporter in a nation with a corrupt government will find this extremely beneficial.
Additionally, this will be quite helpful for your marketing efforts because, as far as I know, no password manager has this.
1 Like
It would be great to have a fake master password, which by typing it would give access to a fake vault (configurable items from the real or prime vault)
This master password would be very useful to be able to use it in case of a threat or coercion/ duress.
In Chicago, people are being held at gunpoint for access to their phone for credit card and password details. What do you mean you don’t see security benefits? In the old days, people just drove past you on motorcycle and grabbed your phone out of your hand, still popular in London. Chicago is more brazen holding you there while you give up your accounts or your life.
This features is definitely needed and I’ll tell you why later - real situation.
I’d also like to see that when entering the decoy password, it could trigger user defined actions, not least of which is automatically revoking all active bitwarden logins and sessions or purging them from any devices.
Perhaps backing up your main vault into a password protected zip file, sending it to a defined email account, then purging your main vault would be a handy addition.
I recently had a situation where I was forced to disclose my device password. A 1st world Western countries boarder control. The options were, disclose it or we’ll seize your devices and arrest you for withholding information, and then you’ll be denied entry and your passport flagged on interpol. I was stopped for a “random search” - let go once they had thier way with me. They didn’t let me touch my phone at all once stopped, no chance for killswitch even if I had one, everything is emptied from your pockets, your bags, everywhere, all laid out on the cold steel table. The officer takes your devices away from you, they hold it, then demand you tell them the keys while they type it in, once unlocked, they take it to a back room for however long they want to. This looked to be standard practice because I watched them do the same to all 7 other people in the search and examination area, from young students to old people. As I was a visitor to the country, I have no rights and am technically not even in the country yet. They can do whatever they want, I’m not on a diplomatic passport.
Now that’s a nice case, with people who you’d hope have some level of responsibility and in theory bound by some level of law to protect your data, and from a “1st world” country that we like to think has all sorts of rules and protections.
Now think a second scenario, if someone broke into your house, held a gun to you head and demanded you hand over the passwords, then proceeded to hurt you or your family if you didn’t.
We need the ability set up a decoy password and decoy data, hopefully with trigger actions.
Theres been discussion above about using a second account or deleting bitwarden before you travel. These only work if you clear the catche and login to it or delete the app BEFORE your attacked - you may not know your going to be attacked… So your being attacked, your going to what? stop and open each and every device and clear the system? Comon.
The only current mitigatation I can see is to setup decoy data or password manager with disposable access data set on like Google password manager or something, and clear your systems preemptively if you think you run the risk of being compromised, but that still doesn’t account for scenario 2 where you’re asleep and someone breaks into your house or your mugged with a cheap wrench.