Hacker News new | past | comments | ask | show | jobs | submit login

Cleartext passwords are perfectly fine in this case. I speak as a software engineer specialized in security.

These passwords should of course be stored in a Keychain-like component that the OS provides.

Are you sure you are specialized in security?




The OS can't provide a key ring because the user dosen't use a password to login. Or if they do have an unlock code they are short and numeric, making brute forcing them trivial. So yes, in this case plain text is acceptable because there is no truly better alternative.


On one hand, both gesture unlock codes and longer alphanumeric codes, both of which android supports, would probably make good candidates to secure the key ring with. On the other hand, the email application, for example, still needs to receive email even when the screen is off, which makes anything entered on screen un-lock a bad candidate for key-ring solutions. Boot is better, but how often do you turn your phone off while not using it?




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: