Why Your Notes App Is Not a Safe Place for Passwords

March 2026 · 5 min read

You probably do it. Most people do. You get a new Wi-Fi password, an API key from work, a recovery code from your bank. You open your notes app and type it in. Maybe you even have a note called "passwords" with dozens of entries.

This is one of the most common security mistakes people make with their phones.

The problem with notes apps

Apple Notes, Google Keep, Samsung Notes, and most other notes apps were designed for grocery lists and meeting notes. Not for storing the keys to your digital life. Here is what is wrong with them:

Not encrypted by default. Most notes apps store your text in plain format. Anyone who gets access to your phone, your cloud backup, or your synced account can read everything.
Synced to the cloud unencrypted. Your "passwords" note is sitting in iCloud, Google Drive, or Samsung Cloud. If that account is compromised, your passwords are exposed.
No auto-lock. Switch apps and come back, the note is still open. Hand your phone to someone to show them a photo, and one swipe could reveal everything.
No clipboard protection. Copy a password from a note, and it sits in your clipboard until you copy something else. Any app can read the clipboard.
No search protection. Search your phone for "password" and your notes app will happily show every match.

"But I use Apple's locked notes!" Apple's locked notes are better than nothing, but they have significant limitations. You cannot lock notes with attachments, PDFs, or tags. You cannot lock notes synced via third-party accounts. And locked notes are tied to your device passcode, not a separate strong password.

What people actually store in notes

It is not just passwords. People store:

Bank account numbers and PINs
Credit card numbers
Social security numbers
API keys and tokens from work
Wi-Fi passwords for every place they visit
Recovery codes for two-factor authentication
Screenshots of sensitive documents
Private photos they do not want in their camera roll

All of this sitting in a plain text note, synced to the cloud, one compromised account away from exposure.

What about screenshots?

Even worse than typing passwords into notes: taking screenshots of them. People screenshot their Wi-Fi settings, their 2FA recovery codes, their new API keys. These screenshots sit in the Photos app, sync to iCloud or Google Photos, appear in shared albums, and show up in search results.

A screenshot of a password is a password stored as an image, completely unencrypted, completely unsearchable (you cannot find it when you need it), and completely exposed.

What you should do instead

Use a dedicated vault app that encrypts everything with a master password. The difference is fundamental:

Everything encrypted. Every password, note, file, and screenshot is encrypted with AES-256 before it touches disk.
One master password. You remember one strong password. Everything else is locked behind it.
Auto-lock. Switch apps and the vault locks. Nobody can see your data without your master password or biometric.
Clipboard auto-clear. Copy a password and it disappears from the clipboard after 30 seconds.
Zero-knowledge. Even the app developer cannot see your data. The encryption happens on your device.

Lockbox: The vault for everything private

Passwords, 2FA codes, secrets, notes, files, and screenshots. All encrypted. One-time purchase. No subscription.

Learn more

But password managers are too complex

That used to be true. Traditional password managers like 1Password and Bitwarden are powerful but overwhelming. They have browser extensions, team features, emergency access, travel mode, and dozens of settings most people never touch.

If all you want is a safe place to keep your passwords, API keys, and private photos, you do not need all that. You need a locked box. Open it with your fingerprint, see your stuff, close it.

That is exactly what Lockbox is. No subscription. No complexity. $4.99 once, and everything is encrypted forever.

Try Lockbox →