App lock
App lock is an optional credential gate that runs before any chat data hydrates. Configure it in Settings → Security.
PIN, password, or both
You can require any of:
- PIN — 4, 6 or 8 digits. Quick to type on a numeric pad.
- Password — any length and character set.
- PIN + password — both required. The PIN is asked first because it is faster to type.
An optional plaintext hint can be stored alongside, so you have something to read after a failed unlock. The hint is plaintext on purpose — if it were encrypted with the password, you would need the password to see the hint, which defeats the point.
How credentials are stored
Loach never writes the PIN or password to disk in plaintext, and never stores them in the SQLite database. The lock blob — a salted hash produced by a modern password hashing function — lives in the OS credential manager. On Windows that is Credential Manager; on Linux it is the Secret Service via your desktop’s keyring.
The lock screen
On launch, the lock screen fills the window until you authenticate. When both a PIN and a password are required, the PIN field is shown first. A wrong attempt clears the PIN field but keeps the password field, so you can fix a typo without retyping everything.
Rate limiting
After several consecutive failed unlocks the unlock command is refused for an escalating cool-off window — from tens of seconds up to a couple of hours after persistent failures. The counter resets on a successful unlock and on app restart.
Re-authentication for destructive actions
Even after you unlock the app, changing or removing the lock and the destructive Data management commands (Import, Wipe user data, Factory reset) ask for your current credentials again. This means a compromised renderer cannot silently disable the gate or trigger a wipe.
Loach has no “forgot your PIN” flow on purpose. If you lose the credentials you set, the only path back in is a factory reset — which deletes your chats. Make sure your hint is enough.