Password not protected

While I can see your point about having the eye being able to display the password being a bad idea, I don’t even consider handing my unlocked phone to someone else. There’s too much damage they can do. And while I use a strong password to lock it, I do concede to convenience by using the iris and fingerprint scans to unlock. I’ve found both of them to be reasonably secure, much more so than Apple face id where my son and daughter can both unlock my wife’s iPhone.

But back to handing someone an unlocked phone so they can see something I want to show them or let them use an app, like a game for my son, I always pin the app when I do that. I don’t know if non-samsung phones have that feature but it’s great. If the user tries to leave the app that’s pinned, the phone goes back to begin locked.

It’s not a Samsung-specific feature and should be available on all Android versions that K-9 Mail supports.

I try to avoid giving my phone to anybody aswell and use pretty much all the common security features. But locking my mail app is not one of them, because it would be annoying (Oh I got mail, lets unlock my phone twice to read it :roll_eyes:). This is not a solution.

It’s just bad design that could be easily avoided and would most likely not be a huge amount of work to implement. Literally nobody on the face of the planet wants a password to be readable and nobody expects it, because it is so stupid. Please cketti, I beg you, just change it and everybody is happy.

Don’t assume that because you don’t want to do this, nobody does. Have you had a look at the password store in your browser lately?

There has been the suggestion to prompt the user for the lock screen password/fingerprint/whatever before showing the server password. I’d be totally fine with that. But this is not a priority feature for me. Pull requests to implement this are very much welcome.

4 Likes

My wording may have been exaggerated, but not showing the password will most likely be the more popular and safer choice. Just removing the eye-icon, after the inital setup would be a compromise until fingerprint/pin entering is implemented.

1 Like

I would like to say so much more to explain my point, but my english is not that well. But I see no reason why a password should be made visible so easy. On computers, banking apps or whatever, I would say the eye button should not be there.

1 Like

Well, there is clearly disagreement about this.

Anyways, a password/fingerprint/login prompt is on its way. See Passwords unprotected and visible after update - #7 by harold for more details.

1 Like

Okay. Let’s say it this way. People are making connections to several email accounts on their email apps. Whatever email apps people are using…

DURING the making of the account or DURING TYPING the password the eye button can be usefull. I fully agree with that. But after the check from the credentials I think absolutely not. I think it is very unsafe to keep showing the eye button.
(If all apps would handle this procedure and keep showing the eye button, then if someone steels a phone, they could collect ALL YOUR PASSWORDS!!)

But to understand your point of view, I will continue:
Now after the check and the email account works fine. All the email is coming in and the mails can be send…

Can you tell me whatever logical reason people can have to make passwords visible for a working account afterwards? That justifies the eye button afterwards?

For me personal (and my use of K-9 Mail for the future, after 11 years…), your answer is very crucial!!

3 Likes

I agree to @harold.

I see no reason why after setting up the account the password should be visible on a working account. Seems a BIG security issue to me, also.

1 Like

This is true only if BOTH of these are true:

  1. The phone is unlocked.
  2. The app has “an unprotected eye”.

Regarding 1: I assume that anyone who is a bit security conscious uses a screen lock and does not let others use their phone.

Regarding 2: Yes, K-9 currently have “an unprotected eye”, but a pull request fixing that is already being reviewed.

Okay.
I can not oversee in your answer regarding your answer at #2 what the fix will be, and I wait for it.
Thanks for your answer!

The code in the pull request does this:

When the eye is pressed, a check is made to see if a safe screen lock (password, pattern, fingerprint) is configured.

  • If yes, a password/pattern/fingerprint is requested before showing the password.
  • if no, the password is not shown.

This is exactly how e.g. Firefox and Chrome does when you want to see saved passwords.

4 Likes

Okay, thanks for your reply!
I would think that when it is programmed like that, it should be secure.:+1:t2:

I highly support this pull request and hope it is merged soon.
As security is a layered approach, protecting the password only by the lock screen should not be enough; as there is no need to keep the password visible and an additional layers of security can technically be easily established without reducing the users comfort.

1 Like

It is in the latest beta release, so unless something unexpected happens, it will be released soon.

1 Like

Unfortunately, lock screen is not enough for many users including me. I am a director of two companies and I many times I have my phone available to be used. Also for my daughter, sometimes she uses it. And here is a good one, when I let it be serviced or updated! You MUST have all lock screens disabled! So, that is useless then, isn’t it. I don’t understand the hostility for a perfectly good request especially for security enquiries.
Also, think about when I may be in a conference meetings/gathers and I don’t want the app to be able to open with out my authority.

I agee with XL_92.
A password lock for opening the app is definitely needed and I see many others who also requesting along with my whole company.
Perfect example, right now send my phone downstairs to my IT guys for service and screen lock MUST be disabled for the service and I (director) don’t need this to be accessible.
Why the hostility from some of the users here is totally unfounded for a perfectly reasonable enquiry.
Now I will just delete the account on the phone and will have to reset it when I get it back from service.

Again - if anything this would have to be a CHOICE. I do NOT want to have to enter a pin when opening the app and I’m sure most other users wouldn’t either.

And btw - if I send my device out for service I factory reset it, so again no need for any more security. All of that should be optional, I would never use ANY mail app that forces me to have to unlock it before use!

Why the hostility?
Again, many are requesting it.
2nd, yes, choice, it doesn’t have to be a “always on”. A simple activate or deactivate for those like you who don’t want it and not forcing you.
Service, it is our in house. So I don’t want to be doing a factory reset every time.
I use many other apps that I have the option to have a password protect when opening. And it is not an always on/forcing you. For example, Threema app (end to end encryption which I definitely have it set with a password to open.
Last, chill out man! There are a lot of other needs just besides yours.
I think the option to have it enabled/disabled would be a great function for security and flexibility.
Peace.

Hostility? I wasn’t being hostile, but merely pointing out that I (and probably most other users) would neither need nor want such extra security.

I was not being hostile and I’m well aware that there are other needs besides mine, which is why I’ve always said that it needs to be “optional”, if at all.