How can I protect myself from false accusations when our company practices password escrow?

That's what the envelope is (or should be) for: In order to use your password, one needs to break the seal of the envelope you signed. When you think your password was abused, you can ask to see the envelope with your signature and check if it is still unopened.

All you need to do is that should your management ever require your password, change the password and hand in a new envelope. You might want to change your password in regular intervals anyway: It's common best practice.

By the way: In companies with a proper IT management this method is unnecessary, because system administrators can receive any necessary information from user accounts without having to know the passwords of the user. If an administrator really needs to log into a user account, they would reset the password (which would create a verifiable audit trail). And there is usually more than one system administrator, so the admin accounts do not require this method either.


I don't think you are in a particularly worse situation than not disclosing your password. Your boss could:

  • Get the system administrator to make a copy of your (hashed) current password
  • Change it to something new
  • Do something evil in your name
  • Put the old password back (replace the hash back what it was)

What does protect you is that there are, presumably, audit trails of things that are done. For example, tracking emails by IP addresses.

If anything you are in a better situation than before. Now you can plausibly argue, if something bad is done in your name: "But my boss insisted on having my password, maybe he did it".

If the audit trails can be used to prove your boss's innocence in this sort of situation, then it can also be used to prove yours. And if no audit trails exist there will be doubt as to who really did it - whatever "it" is.


Change your password immediately after handing him the envelope.

You have fulfilled his requirement of giving him an envelope with your password, and you have fulfilled the need to keep it secure. In the unlikely event that he tries to use the envelope password, you can explain that you needed to change it and he had yet to receive the new envelope.

In no case would I trust anyone with a password of mine, even in a sealed envelope. An envelope is too easy to breach, even without breaking the seal. Even using "security envelopes", placing a bright light (super flashlight, office projector, car headlight) to the back side of it will cause the contents to be able to be seen through it. Considering the information to be obtained is likely a large printed single word, it is not secure. I have never worked for a company that has asked for me to give them a password in an envelope.