devgeeks
commented
7 years ago The trick is to figure out a way to keep the PIN from just being the security equivalent of having a bad password for Encryptr.
Open gnorcie opened 7 years ago
devgeeks
commented
7 years ago The trick is to figure out a way to keep the PIN from just being the security equivalent of having a bad password for Encryptr.
gnorcie
commented
7 years ago You could have a timeout on the PIN, or maybe only allow it if they set up a screen lock? (I'm not sure if latter is possible on both iOS and Android)
Does Spideroak have a designated UX researcher? This is the kind of thing they could help suss out.
-Greg
Sent from my IPhone 💸
On Jul 19, 2016, at 5:12 PM, tommy-carlos williams notifications@github.com wrote:
The trick is to figure out a way to keep the PIN from just being the security equivalent of having a bad password for Encryptr.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
devgeeks
commented
7 years ago Yup...
@helveticade
neonb
commented
7 years ago Every mobile app, security-critical or not, prefers simple PINs over passwords. The reason is probably that access to the device in question is presumed to be proof enough that the user is legitimate. If your phone has private information (which it does), it already has (should have) lock screen security and other anti-theft features implemented.
So the PIN serves a different purpose than your real password. Besides, preventing brute-forcing it is super simple: allow a couple tries and then require the password. Of course password managers' security is extra important, but in this case the PIN wouldn't really weaken it and it would be a huge improvement in user experience.
devgeeks
commented
7 years ago preventing brute-forcing it is super simple: allow a couple tries and then require the password
This is basically what the SpiderOakOne app does now. I was not saying that I was against the idea, just being clear about the possible ramifications. I have been planning on PIN and touchID support... it's just on a long list of features that need to be prioritised and added.
I also want to state that I super appreciate folks adding issues and making feature requests like this. It is what makes me want to work on it.
gnorcie
commented
7 years ago Great thoughts!
Personally I'd strongly prefer a PIN since something you know is much stronger 5th amendment protection (biometrics can be compelled in USA)
Also Touch ID can't be used on individual apps if disabled for main lock screen in iOS IIRC so people like me who use strong lock codes couldn't use that feature.
-Greg
Sent from my IPhone 💸
On Jul 20, 2016, at 7:29 AM, tommy-carlos williams notifications@github.com wrote:
preventing brute-forcing it is super simple: allow a couple tries and then require the password
This is basically what the SpiderOakOne app does now. I was not saying that I was against the idea, just being clear about the possible ramifications. I have been planning on PIN and touchID support... it's just on a long list of features that need to be prioritised and added.
I also want to state that I super appreciate folks adding issues and making feature requests like this. It is what makes me want to work on it.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
Entering the entire passphrase on mobile can be cumbersome, especially if you are aware of the fact there is no 5th amendment protection for fingerprints and chose a long password for your phone.
It would be nice to allow users to opt in to putting a simple PIN (numeric, swipe pattern, or short word) so that someone can't access their PWs if handed the device, but so you're not typing out the entire passphrase every time you need to access a password.