Password protection

[hardyks]

In my perrsonal mind the app should have a password protection because the app can contain a lot of personal data

[NPadrutt]

hey @hardyks
I like that idea! feel free to submit a PR for it :)

[hardyks]

Thanks @NPadrutt for your reply. Where can I submit a PR, please?

[NPadrutt]

Apoligies @hardyks. I meant that in case you want to contribute and implement this feature.

[krestenlaust]

To what degree should the password cover? Should it be used as encryption key as well, or just to access the app. It would leave OneDrive vulnerable to people who know the app.

[hardyks]

Thank you for investing your thoughts in my idea.
I think password protection for access in both apps (mobile and windows) is enough. Access to the backups of the data in the OneDrive cloud is also and already password-protected or "even equipped with 2-phase password protection", so it should be difficult to restore the backup on another cell phone.
I think it would be important to set up password protection on the "mobile phone app and on the Windows app", especially in the Windows app, since many PCs in the family are used by several family members and thus access at least into the app is made more difficult.
Thank you very much for your effort

[hardyks]

another idea: password protection already combined with the windows account

[krestenlaust]

Do you have any suggestions for what would happen if you wrote the wrong passcode multiple times? Should there be a fixed delay? Maybe a fixed delay after every wrong passcode. Alternatively, no delay at all and an infinite number of tries (which allows for brute-forcing (I don't see brute-forcing as a big issue though)). Also, how many digits? I believe 4 is enough.

Regarding the windows build,
I like the idea of using Windows Hello as an authentication method. But I think that implementing a passcode for the windows client is silly, since OneDrive only supports passcodes for the mobile versions (Android/iOS), and OneDrive on PC is effortlessly accessible if you have accessed the users desktop in the first place. It would be akin to putting a passcode on a PDF reader, but no passcode on the document we're trying to protect.

We should consider encrypting the database files, before implementing windows passcodes, in my opinion. If you have any good counterarguments, I'm all ears! :)

[NPadrutt]

I think encrypting the database backup would make a lot of sense. @kres0345 feel free to create a new issue for that since I think that something separate. (also feel free to work on that ;) )

@hardyks A thought that crossed my mind was regarding this part.

I think it would be important to set up password protection on the "mobile phone app and on the Windows app", especially in the Windows app, since many PCs in the family are used by several family members and thus access at least into the app is made more difficult.

Why wouldn't you just setup separate windows user accounts with a password there? Then all the data is separated and protected. Or is that not possible for a reason?

[hardyks]

I'm pleasantly surprised that a small thought triggered a whole thought tsunami.

I think that an access PIN is quite sufficient. Access to the data backup is already based on the WIN account access data. I think that's sufficient, especially since most of them have probably already set up the 2-phase account security. With an access PIN I only wanted to make opening the app more difficult.

I moved the app to the "safe folder" on my Samsung phone or use an AppLock-app on another phone. That works quite well so far.

Thank you for your thoughts and efforts on this