PanicStation.org
UK USA
uk Legal, police, prison & official contact regulator asks for passwords • asked to share passcode • asked to unlock phone for officials • asked for device pin during inquiry • asked for work account password • regulator wants login credentials • compliance visit password request • dawn raid passcode request • asked for encryption key • asked to approve authenticator prompt • asked for two factor code • asked to hand over authenticator app • pressure to disclose password • unsure if request is lawful • worried about refusing access • asked to unlock laptop • asked to reveal passcode on the spot • asked for email password • official inquiry credential demand

What to do if…
a regulator asks you to provide passwords or passcodes during an inquiry

Short answer

Pause and don’t give any passwords, passcodes, or 2FA codes “on the spot”. Ask for the request in writing (with its legal basis and scope) and involve a solicitor (or your organisation’s legal/compliance lead) before providing any access.

Do not do these things

  • Don’t hand over your actual password, passcode/PIN, 2FA codes, or approve authenticator prompts just because you feel pressured.
  • Don’t guess what you “have to” do. The rules depend on who is asking (regulator vs police vs border) and what written power/notice they’re using.
  • Don’t delete messages, wipe devices, change records, or “tidy up” after contact.
  • Don’t unlock a device/account and then leave officials unsupervised with it unless your solicitor/legal team has agreed a controlled process.
  • Don’t mix personal and work accounts “to be helpful” (for example, logging into personal email to retrieve work files).

What to do now

  1. Switch to “written request only”. Calmly say:
    “I’m not able to share passwords verbally. Please put the request in writing, with the legal basis and what information/systems it covers.”
  2. Verify identity and record key details. Ask for the inspector/officer’s name, organisation, ID (if available), and the case/reference number. Write down the time and what was requested.
  3. Ask what exact power they are using and what they want you to do. Keep it simple:
    • Is this an information/production notice (produce documents/data)?
    • Are they asking for direct access (log in / unlock a device)?
    • Are they asking for an actual password/passcode or “assistance to access protected information”?
  4. Bring in legal support immediately.
    • If you have a solicitor: call them now and ask the official to wait.
    • If this is a workplace matter: contact your organisation’s legal/compliance lead (and IT/security lead) and tell the official you will respond through them.
  5. Offer safer cooperation options that don’t involve handing over your credentials. While the request is reviewed, propose:
    • Producing specific documents/data exports that match the written scope.
    • Supervised access (you unlock/log in once, stay present, and access is limited to what’s authorised).
    • Time-limited, least-privilege access created by IT/admin (rather than your personal credentials).
    • Collection/imaging handled under the proper authority rather than giving a passcode.
  6. If they serve a formal notice that compels access, slow down and read it carefully. In the UK, compelling disclosure of an encryption key/password can be done via a written notice in certain circumstances (for example, a Section 49 notice under the Regulation of Investigatory Powers Act 2000). If anything like this is served or mentioned:
    • Check what is demanded (password, key, or “assistance”), which device/account, and by when.
    • Check it’s addressed to you (and you’re the right person to comply).
    • Say you need legal advice before responding, and contact your solicitor immediately.
    • Don’t change or destroy anything while you obtain advice.
  7. If this is happening at a UK port/border setting, treat it as higher-risk and get legal advice fast. Border examination powers can operate differently to ordinary regulatory contact. Stay polite, repeat: “I want legal advice before providing credentials,” and document what you can.

What can wait

  • You do not need to decide right now whether to grant broad access or “fully cooperate” beyond the written scope.
  • You do not need to explain your whole system, volunteer extra accounts/devices, or provide a narrative on the spot.
  • You do not need to negotiate scope in real time—get it in writing and reviewed first.

Important reassurance

Feeling pressured to hand over a passcode is common because the request can sound routine. Taking a pause, insisting on written scope, and involving a solicitor is a normal protective step.

Scope note

These are first steps for the moment you’re asked for passwords/passcodes during an inquiry. The right response depends on the regulator, whether you’re acting personally or for an organisation, and whether a formal notice/order has been served.

Important note

This is general information, not legal advice. If you’re served a formal notice/order or you’re in a border/custody setting, get legal advice immediately and avoid irreversible actions (like deletion or credential sharing).

Additional Resources
Support us