With the current implementation of FDE on Android, this is already the case, just with a weaker password the majority of the time since the users won't want to enter a lengthy and more secure password each time the device is locked.
On Tuesday, May 21, 2013 5:38:11 PM UTC-4, Nathanael Abbotts wrote: > > One quite severe issue that I can think of is that any secondary users on > a device have to know the "adminstrator's" password if they want to be able > to access the device from a powered off state. This is obviously less than > ideal. > > On Tuesday, 21 May 2013 22:30:54 UTC+1, seattleandrew wrote: >> >> If you haven't been following issue >> 29468<http://code.google.com/p/android/issues/detail?id=29468> for >> Android, a couple of people are upset that the unlock passcode is tied to >> the encryption passcode. From a usability stance, this makes perfect sense, >> this way users don't have to memorize two passwords, the less the better. >> The issue is, once a FDE (Full Disk Encryption) Android has been unlocked >> the first time, the device is decrypted until it's powered off. This means >> once the device has been unlocked once, there isn't a need to continue >> requiring complex passcodes since all it does is unlock the device. >> >> With the current schema, I argue it actually impacts security and >> usability since users will either choose a complex passcode (for more >> entropy in FDE) and suffer every time the device re-locks or a user will >> choose a simpler passcode (PIN or 6 char) in order to make the unlock >> process easier (but now FDE has less entropy). >> >> With the addition of multiple-users in Android, I argue it wouldn't be >> too difficult to separate the FDE passcode from the user's unlock passcode >> (even on single user devices). >> >> What does the rest of Android Security think? Do you guys >> think separating FDE and the unlock passcode would be beneficial? >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
