Panic passwords allow a user to signal duress during
authentication.  We show that the well-known model of giving a user
two passwords, a `regular' and a `panic' password, is susceptible to
iteration and forced-randomization attacks, and is secure only within
a very narrow threat model.  We expand this threat model
significantly, making explicit assumptions and tracking four
parameters.  We also introduce several new panic password systems to
address new categories of scenarios.