Kill Password

Kill Password

The Kill Password is a 32-bit value stored in the Reserved Memory bank (Memory Bank 00) of an EPC Gen2 RFID tag. When a reader sends the correct Kill Password via the Kill Command, the tag permanently and irreversibly ceases all RF communication. The Kill Password mechanism was designed to address consumer privacy concerns by allowing retailers to fully disable tags at the point of sale.

Memory Location

The Reserved Memory bank contains two 32-bit passwords:

Both passwords default to all zeros (0x00000000) on new tags. A tag with a zero Kill Password will not respond to the Kill Command — the EPC Gen2 specification explicitly prevents killing a tag that has never had its Kill Password programmed. This safety measure prevents accidental or malicious mass-killing of unconfigured tags.

Programming the Kill Password

Setting the Kill Password requires writing to the Reserved Memory bank, which itself may be protected by the Access Password. In a typical commissioning workflow:

1. The printer-encoder writes the EPC to the epc-memory/" class="glossary-term-link" data-term="EPC memory" data-definition="Writable tag memory for item identity." data-category="Data & Encoding">EPC memory bank.
2. It writes a unique Kill Password to the Reserved memory bank.
3. It locks the Reserved memory bank using the Access Password.
4. The Kill Password is stored in the enterprise database alongside the EPC for later retrieval.

Step 4 is critical — if the Kill Password is lost, the tag can never be killed (and also never have its kill password changed if it has been locked).

Privacy and Regulatory Context

Consumer privacy advocates raised concerns that RFID tags embedded in clothing and consumer goods could be tracked after purchase. The Kill Password mechanism was EPCglobal's response: retailers can offer to kill tags at checkout. In practice, the Untraceable Command introduced in Gen2v2 has largely superseded killing because it hides tag data without destroying the tag, preserving the option for returns and warranty processing.

GDPR considerations in Europe may require that tags be killed or made untraceable when items are sold to consumers, depending on whether the EPC can be linked to an individual.

Practical Considerations

Killing is irreversible. Once executed, the tag's silicon is permanently disabled at the transistor level — there is no recovery. This makes the Kill Password a sensitive credential. Organisations that programme kill passwords should treat them with the same security controls as cryptographic keys: generate them randomly, store them in secure databases, and limit access to authorised personnel and systems.