Specifically that’s true for US law. Under UK law memorised passwords can be demanded with prison sentences for failing to produce them. It also doesn’t count at the Us border.
That's messed up. In this case, store password DB in deniable TrueCrypt (or similar) volume on an airgapped machine, secured with a memorized passphrase. That way, they can't prove there's something to decrypt, and you haven't memorized any passwords they know about. But it sounds like merely failing to produce a password is a crime in general, which seems unfair to those who have lost / forgotten their password.