I'm dealing with the same exact situation you are right now. I store it in the app after it's been verified in one-way encrypted form. Worse for worse, I am weak against replay attacks, but at the same time, his password is a little safer, since only the encrypted form of the key is known, not the original. At least then, if the system is compromised, the black-hat won't try the password in other places, (bank, school, personal stuff.. etc)