From a8c89422d6942d4dba27986cf610544bae1abfb5 Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Wed, 14 Nov 2018 20:36:43 +0100
Subject: [PATCH] Added FAQs

---
 FAQ.md | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/FAQ.md b/FAQ.md
index 75a1fbd5b4..a1fb86c37b 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -24,7 +24,6 @@ For:
 
 * Notifications per account
 * Fixed action bar conversations
-* Password protected export file: next release
 * Keep conversations open (for previous/next navigation)
 * Microsoft OAuth
 
@@ -443,6 +442,23 @@ but will also leak your IP address.
 Opening attachments or viewing an original message might execute scripts,
 that might not only cause privacy sensitive information to leak, but can also be a security risk.
 
+<a name="faq36"></a>
+**(36) How are settings files encrypted?**
+
+Short version: AES 256 bit
+
+Long version:
+
+* The 256 bit key is generated with *PBKDF2WithHmacSHA1* using a 128 bit secure random salt and 65536 iterations
+* The cipher is *AES/CBC/PKCS5Padding*
+
+<a name="faq37"></a>
+**(37) How are passwords stored?**
+
+Providers require passwords in plain text, so the background service that takes care of synchronizing messages needs to send passwords in plain text.
+Since encrypting passwords would require a secret and the background service needs to know this secret, this could only be done by storing that secret.
+Storing a secret together with encrypted passwords would not add anything, so passwords are stored in plain text in a safe, inaccessible place.
+Recent Android versions encrypt all data anyway.
 
 ## Support