PIN or passcode lock for InkDrop app


#1

Hello,

InkDrop security is already good (encryption at rest and in transit) but I’d like to be able to lock the Windows application so a PIN or a passcode is required when launching it, or after a period of idle time. I also use StandardNotes, which has the passcode feature.

This is useful in situations where I may need to allow someone else to use the laptop (e.g. support personnel) but I don’t want them to be able to open my notes.

Roger


#2

Hi Roger,

Thank you for the suggestion.
Some apps focusing on security like StandardNotes and 1Password support the lock feature, which seems to be useful.

However, I basically assume that your computer is always used by you.
You have to lock your computer itself every time you leave it so that someone else can’t use it.
When you need to allow someone else to use it, I think, just logging out is sufficient to protect your notes.

Allowing other person to use your computer involves a large security risk that he/she could see your personal information in many ways such as local files in your hard disk, email client, calendar, browser with a lot of credentials, etc. And the system basically assumes that a current user is you. Do you need all apps to support the lock feature?

I don’t mean that I completely disagree with you.
I just would like to know why it’s so necessary, especially for Inkdrop.

Thanks!


#3

Thanks for replying: I understand your point of view. Most users of InkDrop probably use it only on their own personal laptop, but I had it installed on my work laptop, which of course isn’t mine and occasionally other people (mainly IT support staff) will have access to it.

You’re right of course - all I need to do is sign out after every session, but most users just close the application (without signing out) which presumably means the database remains unlocked and anyone else accessing the computer (locally or remotely) would then be able to run the application without authenticating? A PIN-code (like StandardNotes) would prevent that, and would be quicker than email + password.

But this is a low-priority issue: there are many other things more deserving of your time!

Thanks for replying, and for developing InkDrop - it’s a great product.

Roger


#4

anyone else accessing the computer (locally or remotely) would then be able to run the application without authenticating?

Do you mean you are sharing your Windows account with your IT support staff?

If no:

It’s safe.
When other person launched Inkdrop, it will show up the login screen because it’s not you. Your login credentials are stored in Windows Credential Vault. The app calls CredRead API to read a credential from the user’s credential set. The credential set used is the one associated with the logon session of the current token.
On Windows, there’s no sudo equivalent command possible unless they know your password. So administrators can’t use it as you.

If yes:

It’s a wrong account management. You have to separate your account from IT staffs.

Thank you for your understanding.
Hope that helps!


#5

No, I’m not sharing my Windows account with anyone.

The second part of your reply is what I needed to know: I’m happy as long as nobody else accessing this machine can access the InkDrop database contents.

Thanks again for replying and for InkDrop.

Roger


#6

Just a side note. The local DB is not encrypted at rest like the cloud DB is. Is that correct?


#7

Apparently, yes, that is correct:


#8

Yes, for the performance reason.