en using an external SSD or Flash drive there is no need to store the password on this disc. But locally on my PC everything has to be stored on the same disc. I think that the password to access my phone or tablet is not only in my brain, but also somewhere on the phone.
Only in its "hashed" form. (unless the device is hopelessly flawed, from a data-security viewpoint)
A hash algorithm is one to which you hand a piece of information - a password, an N-digit number, or whatever. The hash function accepts it, does some specialized math (amazingly simple math, to be honest) on it, and hands back another value that has no visible relationship to the input. The closer to "truly random" the output is, the better. The trick is this: The output of a hash algorithm that isn't flawed *CANNOT* be reversed to retrieve the information that was fed into the hash algorithm using methods and technology we have today. Perhaps in the future, this will change, but as of now, it can't be done. Currently, nobody knows (or at least, nobody admits to knowing) any method of doing that that can be accomplished in any amount of time significantly less than would be spent feeding every possible combination into the hash function and seeing if the value that comes out of it is the same as the hash that comes out when the original information is sent in. Further, hash functions are intentionally designed to make small changes in the input create HUGE changes in the output. So putting "Password1" into the function might spit out "F&W-(kLqaN6", but putting in "password1" (a single bit worth of difference to change the initial uppercase P into a lowercase p) might spit out "6^f]#elQmm", while putting in "Password2" (another 1-bit change from the original "Password1") might get you "n1X+Q%_5" - something that's nothing like either "6^f]#elQmm" or "F&W-(kLqaN6", aside from the fact that all three look like random gibberish.
Most modern (newer than *ROUGHLY* 2010) devices use this method to store passwords. When you tell them you want a new password, they request one from you, usually ask you to put it in again to make sure you didn't fat-finger it the first time, then hash it, destroy every trace of whatever you put in, and write the new hash over top of the old hash that resulted from your previous (if there was one) password.
So now you've got "F&W-(kLqaN6" (which is the hash of "Password1", but nobody except you knows that, and there is no currently known practical way to find out) stored on the phone, and you want to log on. You do whatever it takes to make your phone "wake up", and eventually, it asks you for your password. You key in "Password1" at the prompt, and the phone runs it through the hash function, then compares the result to what it has stored. Are they the same? If so, the phone unlocks, and you go about your biz. No match? Back to the "enter your password: " prompt.
I wrote about this, referring to section 3.2.4 Encryption :
“Many recently-introduced SSDs encrypt data by default, because it provides increased security. It also provides a quick means to sanitize the device, since deleting the encryption key will, in theory, render the data on the drive irretrievable. Drive E takes this approach.
The advantage of this approach is that it is very fast: The sanitization command takes less than a second for Drive E. The danger, however, is that it relies on the controller to properly sanitize the internal storage location that holds the encryption key and any other derived values that might be useful in cryptanalysis. Given the bugs we found in some implementations of secure erase commands, it is unduly optimistic to assume that SSD vendors will properly sanitize the key store. Further, there is no way verify that erasure has occurred (e.g., by dismantling the drive).”
The *ONLY* truly reliable way to destroy data that has been written to a hard drive, whether it's a spinning platter drive, or SSD, is physical destruction of the storage media - typically by running the entire unit through a grinder of some sort to reduce it to a pile of itty-bitty pieces that nobody, not even all the king's horses and all the king's men, can put back together in a functional form. The *REALLY* paranoid, like governments, will go even further - They'll melt the resulting pieces into slag, or stir them into a batch of concrete, or similar "Nope, not even gonna let you see the pieces" procedure.
