1Password ignores protection settings

fearmeat

I am using a Samsung Exhibit 4G. I appreciate that Agile has made an Android version of its app!



I have told 1P that I prefer using a 4-digit PIN to unlock the app, but it always (as in every single time) makes me plug in the (much longer) master password. I figure this is just a bug for this beta version but wanted to bring it to your attention.

djshack

I believe that is an iOS-only feature.

GeneY

Hello fearmeat,



In order to use lock with PIN feature, please goto application preferences->Application Protection and select a

"Protect with PIN" checkbox instead of "Protect with master password". You will need to select a 4 digits PIN number afterwards.



Once you've done that, you will be able to lock 1Password Reader with PIN.



In addition, please carefully review the Forum posting http://forum.agilebits.com/index.php?/topic/6241-pin-in-addition-to-master-password/

for more information.



Best regards,

Gene

Android developer <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

fearmeat

That is my problem. I have already told 1P to use the PIN password, but it always asks for the longer master password.

GeneY

Hello fearmeat,



Please notice that PIN is not used for data encryption/decryption but only for locking of application which has already been

authenticated with your Master Password (for example when application goes into the background and needs to be reactivated).



Therefore, in order to login into 1Password Reader your valid Master Password is always required.

If your application stays inactive it may be killed by Android Operation System by any reason (for example OS wants to free some memory for other applications),

In this case, when you go back to the application, the totally new instance of 1Password Reader is created and, therefore, you see Login (not Unlock) screen and

you are asked for your Master Password again.



Please make absolutely sure that you have a "Use PIN" checkbox checked and you actually selected a 4digits PIN number.

Next use "Lock" menu option and make sure that 1Password Reader is locked with the PIN screen.



Just wanted to clarify once again: PIN screen is simply for locking the application which goes into background by any reason (for example if you press Home button

or another application goes to the forefront. 4Digits PIN has nothing to do with data encryption. Once you exit 1Password Reader explicitly or your application is killed

by Operation System, Master Password is always required in order to decrypt your data and , therefore, you are shown a Login Screen (not Unlock)

Please let me know if you found the information helpful.



Regards,

Gene

fearmeat

Understood. Would it be possible to request that the Android app function more like its iOS counterpart? A simple 4-digit PIN unlock vs. Master Password. Thanks for your response!

GeneY

Hi fearmeat,



In fact, the new version of 1Password for iOS will use the same approach as 1Password for Android.

Master Password will always be required in order for login into the application. PIN will be used exclusively for unlocking the application

which has already been authenticated with Master Password.

All items will be encrypted with master password, the option to encrypt items with PIN (weak encryption) will be eliminated.



In addition, encryption algorithm will be made much stronger (at least 10 times stronger than the industry standard used in the current version of

1Password).



Life is changing fast, computers become more powerful and, therefore, security requirements constantly change.

What is perfectly acceptable today may not be sufficient tomorrow.

Please remember that your data privacy and security is a matter or utmost importance for us and here at Agile we do everything in order to protect you and your data.



Best regards,

Gene <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

fearmeat

Thanks again, Gene. I don't want to waste your time by debating this, but I really don't understand this change. In iOS, I login to the app with a 4 digit PIN. Once logged in, the master password is required to open any single login item, note, or account. The nice thing is that the user has the option to disable the master password requirement on a per-login basis. How is requiring the master password upfront going to improve security if that is already required in the current state anyway?

Ben

[quote name='fearmeat' timestamp='1316392975' post='50237']

Thanks again, Gene. I don't want to waste your time by debating this, but I really don't understand this change. In iOS, I login to the app with a 4 digit PIN. Once logged in, the master password is required to open any single login item, note, or account. The nice thing is that the user has the option to disable the master password requirement on a per-login basis. How is requiring the master password upfront going to improve security if that is already required in the current state anyway?

[/quote]



The difference is that someone needs to know your Master Password in order to even see what sites you have accounts with. This was requested by a large number of our customers.

GeneY

Hello fearmeat,



In the current version of 1Password for iOS you can see all items where "Low Security" option is specified just providing your 4 Digits PIN.

Your Master Password is not required for this. In addition, the list of all items is visible to you, even if it some items are encrypted with the "High Security" option.



There is nothing particularly wrong with it. However, as I mentioned before, security requirements are constantly evolving and getting stricter.

Therefore, Agile moving towards eliminating "Low Security" option (encrypted with PIN) and using only High security option for all items.



In addition, the 1Password encryption algorithm will be made much stronger (at least 10 times stronger than the industry standard used in the current version of

1Password).



Therefore, Master Password will always be required to see all your secure items and PIN will be used exclusively for unlocking already

authenticated application.



Best regards,

Gene

jhollington

I've noticed the original problem in the Android version for some time as well and simply assumed that it was because the app was shutting down in the background. However, I prefer the iOS approach of simply storing the real master password within the application and then providing a shorter password or PIN option.



I most definitely would [i]not[/i] want to see the full master password required on the iOS side to log into the application. It's so incredibly annoying on Android that I would be tempted to drop 1Password entirely if I were primarily an Android user. I believe that forcing the average user to enter the entire master password each time will actually [i]decrease[/i] security rather than improving it, as it will encourage users to choose shorter, less secure master passwords for the sake of convenience. As an example, the App Store suffers from a similar problem with its insistence on entering the password every time a user wants to even download a free app or update an existing app; Apple has recently started enforcing minimum password requirements, but prior to that time I knew more than a few people who changed their iTunes Store passwords to something ridiculously short and simple to avoid having to type in a complex password each and every time they wanted to download something.



IMHO an iOS or Android device is already a form of two-factor authentication -- the "something you have" is the device itself, and anybody concerned about security can already lock the whole device with a separate password as well as enabling remote lock and wipe features via iCloud or Exchange ActiveSync. I would not want to use a weak master password for the [i]actual[/i] 1Password database, particularly since I store it on Dropbox, but i can live with a less secure password for data stored on a device that should always be under my direct control.

GeneY

Hello[url="user/10627-jhollington/"] jhollington[/url]



Thank you for the feedback.



I completely agree with you that typing master password is not that convenient, however, even on iOS you are required to provide your Master Password in order to see some items (High Security Encryption).

Please remember that security requirements are always changing and are getting stricter every time. All your secure items should be encrypted the same High Security option, there will be no Low Security Option.

PIN number is just a convenience feature for unlocking application already authenticated with Master Password.



By the way, while 1Password security is absolutely solid as it stands today, the security algorithm is made 10 times stronger in the latest releases on 1Password for Mac and PC. 1Password for Android fully supports the new

algorithm as well. Of course, this approach takes a second or so longer on password validation, but that is acceptable.



Regards,

Gene

used

dearmash

I was directed here after posting feedback via the android app.



Basically I would be very disappointed if the two-tiered security system present in the iOS version of the app were to disappear. There is a large benefit of having one level of easy (pin) access for web forums, online stores that don't store my CC info, social media, etc. that I access often and does not expose significant risk if discovered. The master password then is the "standard" level of security for anything exposing risk such as my personal email, work resources, financial resources, etc. and things I generally either have memorized or otherwise require less frequent access to.



Granted this is only a mobile use case where typing in a pin is easier. Typing passwords in on a computer is significantly easier.



I just hope that [quote name='GeneY' timestamp='1323900324' post='55518']PIN number is just a convenience feature for unlocking application already authenticated with Master Password.[/quote] doesn't mean that "secure" items remain in memory while the application is running and the PIN / password after the fact is simply a smokescreen.

jpgoldberg

Let me clarify how the PIN and the master password work on iOS. I'll leave it to Gene to fill in the gaps on Android.



Each item in your 1Password data is encrypted with one of two keys. The "low security" key or the "high security key". Each of those keys is a random 128-bit number. The low security key is encrypted with your four digit pin, and the high security key is encrypted with your master password. The encryption is just as strong in both cases, but in one case the key is protected only by the four digit PIN.



There is also a copy of the the low security key that is encrypted with the high security key on the desktop applications. This is what allows you to view and set things as "low security" after using your master password on the desktop applications.



The idea behind using the PIN in the iPhone/iPod touch was that it really is a pain to type in a reasonably strong master password on those devices, so we wanted people to be able to get some use out of the application without always having to use their master password. This was set up before iOS 4 brought in app switching. Back in those days any time you switched to another app you were fully locking 1Password.



I personally, still make some use of the four digit code. I keep everything at the high security level, but I set a longer auto lock setting for the master password than for the four digit code. That allows me to get back into 1Password without having to enter the full password, but still have some protection if someone gets hold of the phone before the auto lock time.



We don't discuss features until they are delivered, and no plans about the high and low security distinction are written in stone. What we do know is that while plenty of people have come to make use of the distinction, the original need doesn't apply so much and that it has been a source of confusion for many users.



But as I said, I make use of the PIN versus master password on the iPhone many times a day. And we know that other people do to. So any redesign will have to take into account how this can be used to help people even if the original intent no longer applies.



Cheers,



-j

jhollington

[quote name='GeneY' timestamp='1323900324' post='55518']

I completely agree with you that typing master password is not that convenient, however, even on iOS you are required to provide your Master Password in order to see some items (High Security Encryption). [/quote]

Thanks for the response. The issue, however, is that[size=4] the "master password" on the iOS side does not have to be the same as the main master password used on the desktop. On iOS the master password is only entered when the app is [i]first[/i] configured to sync via Dropbox, after which the in-app low- and high-security passwords are used. [/size]



[size=4]For example, I use a complex 24-character random string for my actual "master password" on the desktop, which I assume is the key that is actually used for my 1Password database encryption. IMHO this master password should be as secure as possible as it protects the underlying data files, which could conceivably fall into the wrong hands (via unauthorized access to my Dropbox account or computer).[/size]



[size=4]However, once I've configured 1Password on iOS, using that initial master password to sync with the Dropbox-based copy of my database, the "master password" set on iOS can be a much shorter and more manageable character string -- in my case, I use an eight-character random string instead. My mobile device is inherently more secure as it is protected with an additional PIN code on the front end, plus I have two levels of remote wipe available to me (Exchange ActiveSync and iCloud). [/size]



Similarly, I could live with a single tier of security on the Android side if that tier allowed for a simpler password that was easier to type on a mobile device keyboard. Personally, I won't compromise the complexity of my main master password (which protects my actual data file) just because it's inconvenient to type on a mobile device (I'd stop using 1Password before I'd do that), but I can imagine many people who may otherwise use a more secure password on the desktop would be tempted to reduce the complexity of that password just to make it easier to type.



[quote name='jpgoldberg' timestamp='1324006403' post='55593']The idea behind using the PIN in the iPhone/iPod touch was that it really is a pain to type in a reasonably strong master password on those devices, so we wanted people to be able to get some use out of the application without always having to use their master password. This was set up before iOS 4 brought in app switching. Back in those days any time you switched to another app you were fully locking 1Password.[/quote]

Fair enough, but as noted above it's still a pain to type a high security master password from the desktop on the mobile side, which is what 1Password for Android currently requires. I would prefer to in the very least see a separate password option on Android.



[quote]I personally, still make some use of the four digit code. I keep everything at the high security level, but I set a longer auto lock setting for the master password than for the four digit code. That allows me to get back into 1Password without having to enter the full password, but still have some protection if someone gets hold of the phone before the auto lock time.[/quote]

I do something similar, although I have a number of very low-security passwords that aren't worth bothering with the master password for.



However, even in this case I use a relatively short master password in the iOS app. As noted above, I'm relatively confident regarding the security of my actual devices -- I've never lost or misplaced one and even so I have an immediate auto-lock for the device itself plus remote wipe options available.



This does bring up an interesting question, however: Are the Data Protection APIs currently used for the 1Password store on iOS? On Android 4.0, I have simply encrypted the entire device, however iOS' "full-disk encryption" is not really a security solution -- iOS instead relies on applications themselves to specifically use the Data Protection APIs. It's a minor thing, of course, considering that the content in 1Password is already encrypted, but it seems like it would basically be an almost "free" way of adding a bit of extra protection to that data by leveraging that feature.

jpgoldberg

I think you have captured the situation very well. Let me summarize for those following along at home (and I'll add a little bit in some places).



When thinking about password-like things on iOS with respect to 1Password there are four different things.[list=1]

[*]The passcode for the device. (This has nothing directly to do with 1Password, but the data on your device, including things that 1Password stores in the iOS keychain, is much much secure if you set this.

[*]The 1Password four digit unlock code

[*]The 1Password master password on your iOS device

[*]The 1Password master password that you use on the desktop (this is only used during the Dropbox sync process)

[/list]

Like you, my master password on my iPhone and iPad (#3 in the list above) are much shorter than my master password on the desktop (#4). 1Password on iOS would be unusable if I had to use my #4 password there regularly. Also it's your #4 password that is could be subject to an off-line attack (stolen home computer, cloud/dropbox-breach) so it should be very very strong.



The separation between #3 and #4 is vital. No matter what we do with #2 (the 4-digit PIN), I can't foresee any circumstances where we would do away with the separation between #3 and #4 on iOS.



We've learned a great deal about how people do make use of that distinction on iOS and so as we develop things for the Android, we will be able to incorporate all of that knowledge. Again, we make no promises about things that we haven't yet delivered, but we certainly wish to take the best of what we've learned on any platform see how it can be used to provide better security and a better user experience on all of the others.



Cheers,



-j

jhollington

[quote name='jpgoldberg' timestamp='1324320214' post='55830']Like you, my master password on my iPhone and iPad (#3 in the list above) are much shorter than my master password on the desktop (#4). [i][b]1Password on iOS would be unusable if I had to use my #4 password there regularly.[/b][/i] Also it's your #4 password that is could be subject to an off-line attack (stolen home computer, cloud/dropbox-breach) so it should be very very strong.



[i][b]The separation between #3 and #4 is vital.[/b][/i] No matter what we do with #2 (the 4-digit PIN), I can't foresee any circumstances where we would do away with the separation between #3 and #4 on iOS.

[/quote]



Emphasis above is mine. To be clear, however, this is currently the exact problem with the Android implementation: 1Password for Android requires the use of the "#4" master password to log in, which in my case is a 24-character mixed-letter/number/symbol string, thereby making 1Password on Android virtually unusable.



Fortunately, I'm only testing a Galaxy Nexus right now and not planning to switch to it as my primary device, but were I actually going to do so this one issue would be enough to make me abandon 1Password entirely for a competing solution, despite that fact that I otherwise really like 1Password.

GeneY

Hi jhollington,



I sincerely regret to know that you didn't find our arguments sufficient.



I strongly suggest you to re-read the whole topic, I don't have anything to add to it.

Not sure though why you use 24-character mixed-letter/number/symbol string your Master Password, not even sure how to

remember that long password.



If I recall correctly, iOS also requires Master Password to be provided (for viewing Hi-Security items).

We may assume that all items on 1Password for Android are high security ones and in order to see them, Master Password is

required.



As far as I see from other Data Management Implementations on mobile devices, virtually all of them require Master Password

of some kind for Logging In. In addition, very few of them allow an alternative way of authentication such as PIN.



I hope I already mentioned that master password is required only once only when you launch 1Password for Android, later on you can safely

work with a 4 Digits PIN.



Please notice that when you log into your bank account from your mobile device you are asked for the Master Password, no bank gives you

a chance to login with a PIN in order to see Summary and password later on if you want to see detailed information.



Security requirements change, PIN number is nice and easy to enter, however, let's leave it only for screen locking when user is already authenticated

and require Master Password for actual authentication.



Best regards,

Gene <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

jhollington

[quote name='GeneY' timestamp='1324481511' post='55959']If I recall correctly, iOS also requires Master Password to be provided (for viewing Hi-Security items).[/quote]



Actually, this is not entirely correct. If you check my earlier comments, as well as jpgoldberg's responses, you'll see that the issue is that the Android app is fundamentally different from the iOS application in that it uses the [u][i]desktop[/i][/u] master password for authentication. iOS has a [u][i]separate[/i][/u] "master password" that can be (and usually will be) different from that used to actually secure the 1Password data store.



I think the problem here is that somewhere along the way, the decision was made to use the same terminology ("master password") between both the desktop and iOS applications. If you look at jpgoldberg's post above, however, he clearly distinguishes between the two on the iOS side.



[quote name='jpgoldberg' timestamp='1324320214' post='55830']

3. The 1Password master password [i][u]on your iOS device[/u][/i]

4. The 1Password master password [i][u]that you use on the desktop[/u][/i] (this is only used during the Dropbox sync process)



Like you, my master password on my iPhone and iPad (#3 in the list above) are much shorter than my master password on the desktop (#4). [b]1Password on iOS would be unusable if I had to use my #4 password there regularly. [/b]Also it's your #4 password that is could be subject to an off-line attack (stolen home computer, cloud/dropbox-breach) so it should be very very strong.



[b]The separation between #3 and #4 is vital. No matter what we do with #2 (the 4-digit PIN), I can't foresee any circumstances where we would do away with the separation between #3 and #4 on iOS.[/b][/quote]



Emphasis above is mine to highlight the key issues where the Android app differs from the iOS app in a very important way.



Note that jpgoldberg indicates that 1Password on iOS would be unusable if the "#4 password" was required there regularly, and I agree completely.



However, there is no "#3 password" on the Android side -- users are forced to use the "#4 password" to login, making it unusable for anybody who is actually concerned about having a secure master password.



[quote name='GeneY' timestamp='1324481511' post='55959']Not sure though why you use 24-character mixed-letter/number/symbol string your Master Password, not even sure how to remember that long password.[/quote]



Security. This is the password used to encrypt the 1Password data store, and as long as i'm using Dropbox to sync that data store, there is no way I'm going to compromise it by using a shorter or simpler password.



However, other people do not necessarily share the same priorities, and requiring the user to enter the [i]actual[/i] master password in the Android app is going to risk [i]decreasing[/i] security as many people will be inclined to change their very critical master passwords to something much shorter to make it easier to type on a mobile device. As jpgoldberg correctly points out:



[quote name='jpgoldberg' timestamp='1324320214' post='55830'][color=#282828][font=helvetica, arial, sans-serif]Also it's your #4 password that is could be subject to an off-line attack (stolen home computer, cloud/dropbox-breach) so it should be very very strong.[/quote][/font][/color]



[quote name='GeneY' timestamp='1324481511' post='55959']As far as I see from other Data Management Implementations on mobile devices, virtually all of them require Master Password of some kind for Logging In. In addition, very few of them allow an alternative way of authentication such as PIN.[/quote]



Actually, apps such as LastPass actually allow the user to choose to save their password and not have to enter anything at all when logging in. It's full of warnings about the security risks of doing this, but it's ultimately a choice as to how secure a user feels that their device is otherwise, and not really an unreasonable one for users who have encrypted their device, specified a maximum number of failed password attempts before a wipe, and also enabled remote wipe.



However, to be very clear I'm not talking about the PIN issue here, which is a separate, semantic security argument, and I don't disagree with your points in that regard. Personally, I couldn't care less if the separate PIN goes away for good, which seems to be the direction that the iOS app is also taking.



What I'm concerned about is merely the fact that the Android app should take the exact same approach as the iOS version and allow the user to specify a [i]different[/i] master password for use on the device rather than forcing them to use the [i]actual[/i] master password for the 1Password data store. This would be the "#3" password that jpgoldberg describes.



As an aside, the terminology in both apps should also be updated to reflect this distinction and avoid this kind of confusion in the future. The use of "master password" in the iOS app makes it confusing in some places which password is being asked for when setting up Dropbox syncing.



[quote name='GeneY' timestamp='1324481511' post='55959']I hope I already mentioned that master password is required only once only when you launch 1Password for Android, later on you can safely work with a 4 Digits PIN.[/quote]



Correct, until such time as the 1Password app is killed off by the Android OS, which seems to happen pretty quickly. More often than not, I"m re-prompted for the master password rather than the PIN.



[quote name='GeneY' timestamp='1324481511' post='55959']Please notice that when you log into your bank account from your mobile device you are asked for the Master Password, no bank gives you a chance to login with a PIN in order to see Summary and password later on if you want to see detailed information.[/quote]



Actually, your bank does allow you to use a PIN where two-factor authentication is involved -- your bank card in that case. An iPhone or Android device is a second factor since it's the "something you have" as opposed to something like 1Password Anywhere that would theoretically allow you to log in from any device without requiring physical possession of anything. Add the fact that mobile devices have encryption and remote wipe features, and they're actually more secure than your bank card <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



Personally, I [i]do[/i] think users should have an option of using a PIN (e.g. numeric password with numeric entry keypad) if they really want to [i]instead of[/i] an alphanumeric password -- it's an end user decision as to how secure they feel their mobile device is and therefore how complex a password they need. However, I agree that the two-tier authentication is not really required and just makes things more complicated and confusing than they need to be.



[quote name='GeneY' timestamp='1324481511' post='55959']Security requirements change, PIN number is nice and easy to enter, however, let's leave it only for screen locking when user is already authenticated and require Master Password for actual authentication.[/quote]



That's fine, but again my point is that the "master password" in the Android app should be the same in concept as the "master password" in the iOS app -- a [u][i]separate[/i][/u] master password from the one actually used on the desktop to secure the 1Password data file.

GeneY

Hi jhollington,



I absolutely agree with you that 1Password for Android should have its own Master Password, possibly different from the Master Password used in the keychain. In fact, 1Password for Android stand-alone (currently in internal QA) has its own Master Password which is used for encrypting your secure data. User is asked for the remote keychain's password only once during data setup for the remote access.



Remember, what you have on your Android phone right now is just a 1Password keychain reader and not a stand-alone application. Everything 1Password Reader currently does is it provides the way to view your keychain data on your phone, no matter if your data is stored locally or in Dropbox. It doesn't even let you modify your secure data on the phone. This approach is going to be much enhanced in the future version of the application.



Please stay tuned for the updates. The stand -alone version of 1Password for Android will have all these options I mentioned above. Data will be editable on the phone

and there will be a two ways sync with Dropbox allowing to create/update/delete data on the phone and have the change reflected in your remote keychain.



Thank you again for the detailed input, I greately appreciate that.

Please always share with us your suggestions and recommendations on how to make 1Password for Android and other Agile products better.

Your feedback is very important for us !



Have a Wonderful Holiday !

Best regards,

Gene <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

JohnSmith

As a user, I'll say the following:

- PIN unlock code on android 1PW is almost never working. Even if I switch from 1PW to another app and right back, it ALWAYS asks for a full master pw. Very annoying, almost a reason to give up the software completely. It's a freaking mobile device, it doesn't have a convenient physical keyboard, and for most people, 4 numbers are pretty enough to secure their logins almost nobody needs anyways.

- If you claim that android is unloading the app from memory every time, something is wrong with the app. Perhaps, the iOs'esque non-standard UI elements are making the app to heavy? Other apps are not kicked out of memory, so the problem lies with the 1PW for android. So either make it stay in memory or introduce an option to use PIN-only for authentication. Better do BOTH.

- If people want to enter master PW even when using PIN, make it a freaking OPTION. It's not like everything should be hard-wired; customization and tuning are the word for win\android, if not for macos\ios. Make an option to ask 25 different passwords for each scroll for the paranoid, if they so wish; it doesn't mean normal people have to enter their full master pw every time they switch to the browser and back.

Please respect your users, don't torture them unnecessarily.



Regards.



PS not seeing any response to this message makes me think that devs just don't care.

I was considering purchasing this application for my parents, but all the problems with constant sync loss between plugin and main application on the PC which resurface virtually every time Chrome auto-updates, inability of Android app to actually use PIN to unlock, and lack of general application development (where are the new features?) make me consider Roboform instead, particularly with the outrageous pricing for 1PW.

GeneY

Hi JohnSmith,



Sorry for the delay with an answer and thank you for the detailed feedback.

At present our team is working on the Stand Alone version of 1Password for Android with two-ways sync and

record editing. The application is in Alpha testing mode, we have more than 60 experienced testers working on it and

the feedback we are getting on the application is very good.



Please stay tuned for the updates on Forum.

Regarding 1Password Reader: the application is locked with PIN number if specified in preferences, Master Password only required

when application is removed in memory by Android OS. This functionality works fine for wast majority of Android users, so far nobody

reported any issues with that. Please make absolutely sure you have "Lock with PIN" box checked in the application preferences and choose

4 digits PIN. Then lock application with PIN explicitly, make sure you can unlock the app with your 4 digits PIN.



Authentication part of the application will be redesigned for the new version. Master password will be required as before for login,

but PIN number will be increased to unlimited length the same way as in Android OS.



Again, thank you for the information provided, please stay tuned for the future announcements on Forum.



Best regards,

Gene

Android developer

JohnSmith

Hi GeneY,



I'm absolutely sure Lock with PIN is checked. Furthermore, PIN validation appears from time to time - like, once in >20 switches between apps.

Other times, just the password window appears. As I mentioned above, maybe the app gets kicked from memory by the task manager (standard one, I'm not using any 3rd party task managers\killers); with only 512 mb ram in my device, it may be the case. However, most other apps, including rather heavy ones, stay in memory successfully most of the time, so I have no idea why 1PW behaves in this fashion.

The PIN lock seems to function correctly on my fathers SGS3, BTW.



Will hope the newer client will rectify this. Perhaps use some flag\service which will take not of time passed even if the app itself was kicked from memory. Better yet, please add an [i]option [/i]to use [i]only [/i]PIN lock! Particularly considering PIN>4 chars which are more secure but so much faster to type in than a password.

Security level should be customizable, not all people are so paranoid as to enter their complete password on a mobile device. People should have a choice!



Thank you!