How difficult would it be for someone who stole your device to gain access to the username and password information stored under the
Settings -> More -> Accounts section of an
On Linux shadow passwords are stored as hashes but these are only used to check inputs (they are never transmitted over the network). I wonder how Android implements account security here (perhaps special hardware supporting accounts and passwords)?
Android uses AccountManager to store the passwords. By rooting a phone you can access the encrypted store. What happends now depends on the password you use to lock your phone (from which is derived the encryption key for the store).
As you can imagine, a 4 digits PIN is not going to resist long. A fingerprint (or other mechanism with large entropy) will not be cracked.
External links referenced by this document: