Access Password

Access Password

The Access Password is a 32-bit value stored in the Reserved Memory bank of an EPC Gen2 RFID tag. It controls write access to the tag's memory banks, preventing unauthorised modification of the EPC, User Memory, and the passwords themselves. When properly configured, the Access Password is the primary defence against tag data tampering in supply chain and retail environments.

How Access Control Works

epc-gen2/" class="glossary-term-link" data-term="EPC Gen2" data-definition="UHF RFID air interface standard." data-category="Standards & Protocols">EPC Gen2 defines three lock states for each memory bank:

When a memory bank is locked, the reader must first send the correct Access Password via the Access command. If the password matches, the tag enters the "secured" state and grants write access for the duration of the session. If the password is wrong, the tag returns an error and may impose a backoff delay to slow brute-force attempts.

Setting the Access Password

The workflow for securing a tag typically occurs during commissioning:

1. Write the EPC (e.g., an SGTIN) to Memory Bank 01.
2. Write application data to User Memory if needed.
3. Write a random or derived 32-bit Access Password to Reserved Memory.
4. Write a Kill Password to Reserved Memory (if kill capability is desired).
5. Issue Lock commands to lock the desired memory banks.
6. Store the Access Password in the enterprise database keyed by EPC.

Security Strength

A 32-bit password provides 2^32 (approximately 4.3 billion) possible values. While this is insufficient against offline cryptanalysis, the practical attack surface is limited because the attacker must transmit each guess over the air to the tag, which responds slowly (each attempt takes ~20 ms). A brute-force attack would take thousands of years at RF speeds.

However, the Access Password is transmitted in plaintext over the air interface unless crypto suite authentication is used. An adversary performing eavesdropping during a legitimate access transaction could capture the password. For high-security applications, Gen2v2's mutual authentication should be used instead of or in addition to the plaintext Access Password.

Best Practices

• Generate unique passwords per tag — shared passwords create single points of failure.
• Use the Access Password in combination with Lock commands — a password alone without locking the memory banks provides no protection.
• Consider Permalock for data that must never change (e.g., calibration records on aviation parts).
• For consumer-facing products, evaluate whether the Untraceable Command provides sufficient privacy protection without the complexity of password management.