Since it’s something that would affect everybody, I thought I’d ask here what everybody think about this feature, and whether we really need it.
This is a feature developed by @ishantgupta777, which will add a button that would reveal the master key password on mobile:
It can be convenient in some cases, for example if you forgot your password, or to verify what you’ve just typed, but the drawback is that it can potentially be unsafe, as discussed below:
Without asking user the current password, anyone can see the passwords to master keys.Hence, there should be a prompt confirming the current password.
That’s a valid concern. As it is, if someone takes your device it is very difficult to extract the master key password (you’d probably have to enable USB debugging, and somehow hack it from there). However with this change, it’s just a press of a button. Chrome asks for the device password when doing this, but probably it would be hard for us to do the same from React Native.
So I think that should be at least discussed. Do we so badly need this feature that we make the app slightly less secure for it? And the thing is, it’s not optional, even users who will never need this feature would still have it there, with their password easily exposed at the press of a button.
So I’m wondering, do we proceed with this or not?