[csirac2]

Obviously, a strong passcode is a must.

But that's a big ask not just for the obvious reason, but also because the Nexus 5 is the first phone I've ever owned which demands that I unlock it first before I can access the UI to cancel an alarm.

And even then, it's a game of chance (especially when the phone is upside down while you're asleep) whether your swipe is in the correct direction (apparently UI designs actually removed the visual cues which would normally guide the user toward the correct action).

[JshWright]

I wish it was easier to decouple the passphrase for the key and the passcode to unlock the device...

They have _very_ different security properties. Offline brute forcing the unlock passcode is far harder (presumably it's stored in the encrypted fs), so a shorter code is fine. Offline brute forcing of the encryption key passphrase is much easier (as TFA explains), but I'm never going to use a 'good' passphrase there, as it would be far too annoying to have to type it every time I unlock the phone...

[ancientworldnow]

It requires root, but Cryptfs (available in the play store and f-droid) enables just such a feature. In fact, it's written by this blog post's author.

http://nelenkov.blogspot.com/2012/08/changing-androids-disk-...

https://play.google.com/store/apps/details?id=org.nick.crypt...

[JshWright]

> It requires root

And there's the problem... I'm trading one security improvement for a whole host of other issues...

[ancientworldnow]

That's a valid concern, though you can root, install and run the app, and then unroot. It's not a good solution, but it is a solution until Android L builds in the ability to use different passwords.

[icebraining]

Which issues?

[higherpurpose]

Google needs to solve that part of the problem. Apple has already solved it with TouchID.

Google needs to do the same and mandate all OEMs must certify for fingerprint scanning technology (that has a high-standard of accuracy and security, not the gimmicks HTC and Samsung have tried before), or at least incorporate the same kind of technology Nymi uses in all Android Wear watches, so you can unlock the phones with that. Google should either acquire or replicate what these guys are doing:

http://www.getnymi.com/

[dvhh]

TouchId does not replace the password, it is merely a shortcut for it, as far as the current implementation goes.

[jonknee]

Touch ID still requires you to type in your password after you boot the phone. Still quite handy, but not a password replacement by any means.

[comex]

I think the idea is that the password (which can be made complex if you don't have to enter it that often) is analogous to the "passphrase for the key", while Touch ID serves as the normal "passcode to unlock the device".

[wtbob]

> But that's a big ask not just for the obvious reason, but also because the Nexus 5 is the first phone I've ever owned which demands that I unlock it first before I can access the UI to cancel an alarm.

Do you mean a firing alarm, or a pending alarm? One can cancel a firing alarm just by swiping, no passcode needed.

I would prefer to have to enter my code in order to cancel a pending alarm. Otherwise I can imagine practical jokers cancelling an alarm if they have the chance.

[csirac2]

Not all the time, I must admit - but when I'm blindly poking my phone or it's just grabbed out of my pocket, some part of the screen (that for me is the most likely part) makes the swipe prompt disappear and is replaced with the passcode entry.

Given that I have my N5 in a case, perhaps it's an inadvertent button press. Still, the UI should always provide swipe access to disable an alarm while the device is blaring at me.

[mbq]

That is a very good feature because forcing user to perform mentally demanding operation to dismiss the alarm decreases the risk of falling back to sleep (;