CNET también está disponible en español.

Ir a español

Don't show this again

Phones

Android stores passwords in plain text: Safer than a false sense of security?

The phone hacking scandal has made us touchy about security loopholes. Today we learn that Android stores passwords as plain text -- but should we be worried?

The News of the World phone hacking scandal exploded across every aspect of public life with such force -- Charlie Brooker called it EverythingGate -- that we've become a bit touchy about every security loophole we encounter. Today we learn that Android devices store passwords as plain text. That sounds unsecure, but should we be worried?

Passwords for email accounts are saved into the SQLite database in Google's mobile software, and on the phone's memory in plain text format -- stored as they're written, with no encryption.

Google is working on the problem, which an Android user spotted and challenged the Big G to address. Googlebloke Andy Stadler explains that the passwords have to be easily accessible in order to sign in to your email, as email protocols POP3, IMAP, SMTP and Exchange ActiveSync ask for a password every time you check your email.

Newer email protocols get around this by using the password once to prove you're really you, then remembers that by saving a token instead of grabbing the password every time. It's like handing over your ticket at the start of an event, then getting a wristband or stamp on your hand to pass in and out.

Android users have been calling for passwords to be encrypted, although hackers knowledgeable and determined enough to find your password are likely to also be able to find the encryption key too. Some developers argue that encrypted passwords are actually worse than unencrypted details, because they furnish you with a false sense of security and encourage a cavalier disregard for where you use your password.

Stadler, a software engineer who works on Android, distinguished between actually making a password more secure -- locking it away -- and simply obscuring it.

We don't think this is an issue to lose any sleep over. In most normal cases, if someone gets hold of your £500 smart phone the rapacious tea leaf is more likely to flog it down the pub than start delving into your email. But in light of voicemailgate, it's always good to remind ourselves of general security precautions. Don't use the same password for everything, and you'll limit your exposure to this loophole.

Google is working on the issue. Do you think Google should do more to protect your details? Tell us your thoughts in the comments or on our Facebook page.