[Q] recover password from email app - General Questions and Answers

Hi Guys,
my University has this dumb policy that you need to change your password every month. So I did that and immediately changed it on the phone too, so that I can receive my mails. The mail login is the same as on the main platform of the university. Now I need to login in the main platform in order to get the payment information for the new semester, but can't remember the freaking password. A simple reset or forgotten option is unfortunately not available. If you've forgotten your password, you need to go to a special facility where a pin code is handed out. With that you can reset your password. Bad luck me, I'm out of town and can't go to that facility. So is there any way to view the password that is stored in the android stock email app. I'm using android 4.4.
I would really appreciate your help.
Kind regards,
Martin

Related

[Q] Setting up work email

Does anyone know what information I need to set up my work email through my phone. My IT guy says he can do it but they need to take my phone and "do something to it" I don't know what that means but I don't want my company to have access to my private information. Any help would be great. Thanks.
papilliond said:
Does anyone know what information I need to set up my work email through my phone. My IT guy says he can do it but they need to take my phone and "do something to it" I don't know what that means but I don't want my company to have access to my private information. Any help would be great. Thanks.
Click to expand...
Click to collapse
They generally take phone to set up the needed certificates and encryption, based on the respective company policies. It would be best to delete ur personal info when u give to them. You could always set up ur personal data later.
papilliond said:
Does anyone know what information I need to set up my work email through my phone. My IT guy says he can do it but they need to take my phone and "do something to it" I don't know what that means but I don't want my company to have access to my private information. Any help would be great. Thanks.
Click to expand...
Click to collapse
If your company is an Exchange shop, you need your domain, username, password and exchange ActiveSync URL (usually your webmail URL). If your company uses client certs, then he would have to install that - but it is unlikely.
If you sync your Exchange email, your company has the ability to do remote wipe and enforce an unlock PIN.
If you do setup mobile sync yourself, they can see it and if they want they could turn it off or remote wipe - keep that in mind when going around IT. Your best bet, is to clear off anything you find personal - let them set things up, and put your stuff back on. The IT guy, should be able to set thing up in 5 minutes at your desk.
Thanks for the reply. We use lotus notes. I have no idea what type of system that is.
For Lotus Notes, they may have POP or IMAP set up - then it is like setting a normal email account for your personal use - you need server name, login name, password. If you can also sync calendar and contacts, they probably have a companionlink license - it is the only app i know off that syncs everything with Notes. If you want this, you need to let IT do their magic - either way, you probably should talk to the IT guys and find out what method they use.
Thanks I will.

SplashID v7 upgrade security issue

Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
sejtam said:
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
Click to expand...
Click to collapse
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
pulser_g2 said:
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
Click to expand...
Click to collapse
Not much more that I already said. I am a long-time user of their SplashID (Mac) Desktop and Android app to store all my credit card, bank acount and yes, many systems passwords in.
The database they use is encrypted with a 'master password' which one has to enter on ones' Android (or iPhone, etc) or Desktop everytime to
unlock and decrypt (in memory), so that one access the data.
The same password is used on both the mobile and desktop of course.
A few days ago, an upgrade to SplashID v7 was made available on the Google Play store. I don't allow 'automatic' updates (though I am sure a lot of folks do!), but this time I also did not really check what the upgrade offered, and clicked 'UPDGRADE ALL' when it was offered along with a nunber of other upgrades. So it got installed.
When i subsequently opened SplashID again, it told me about all the shiny new features (cloud sync etc) and as normal asked me for my password (it also asked for my email address. I though that this was for them to check my purchase/license ans what features woudl be enabled)..
I thought that it would then show me my data. But wrong. Instead it offered me a selection whether I want to use the new 'cloud sync' feature (30 day free trial, later for $$), or stay with the normal 'wifi sync'.
I opeted for the latter (because I don't trust having my data sent to the cloud).
Anyway, the next thing I get is a message: (paraphrasing) "we have created your cloud account, you will get an email and will have to verify your email). Sure enough, I get an email:
Thank you for signing up for SplashID Safe Personal Edition!
To activate your account, please verify your email address by clicking the link below: Verify Email
Then check your email for our SplashID Safe Welcome message.{/QUOTE]
The link goes to: https://www.splashid.com/personal/webclient/login.php
I had to again ther enter my email address, and *the same password* that I entered before (which I thought would be for my private data-store).
Yes, that same password was used to create my account on their cloud server, even though I opted for the Wifi Sync *only* and never
asked for a cloud-sync.
Nor did the app tell me that the same password would be used to secure that aco****.
The issues with this are self-evident:
a) my most secure password, the one used to secure my data on my mobile and on my desktop is now 'leaked' to their cloud account
b) I have *no* idea how secuerly that password was transferred (in clear, encrypted, just a hash), nor how securely it is stored
c) it clearly is linked to my cloud-account on their website, so
- someone somehow learning that password could 'verify' it by accessing that account
- if someone hacked their system and accessed their database, that link would be apparent to them
d) I have nost *all control* over securing that password myself. It is 'burnt', 'in the wild'
e) Any pass backups of my secure SplashID database that may live on SD cards of mine, on backup disks, which may have
been copied to the cloud (dropbox, others) are now vulnerable. It is no use for me to change this password here now, as
old copies that may still exist somewhere are still encrypted with this password (and I cannot change them back).
Yes, I am trying to limit exposure for that password data file as much as possible, but eg Titatium Backup may have at some point in teh past backed it up and copied a backup to the cloud (yes, that is also encrypted, but once that featire failed).
More that that, of course users who are not as security conscious may have opeted for 'could sync'.
While I have not tried this feature myself, it sounds to me like thsi does copy the teh data to SplashID's cloud and
there secures it too only with that one single password.
So many users wh may not have thought all this out may have opted for the 'CloudSync' trial, and not only have their
password 'leaked'/'burnt' now, but also have all their data in the cloud, again secured only with a password that is no longer in their sole possession.
In fact, any secure, trustworthy system would have
a) been *very* upfront about what they are going to do with the password and the cloud account
b) used a separate password to secure the cloud account
c) only stored my encrypted copy of the database in their cloud, without *them* having the password for it
d) done any syncing on the client (ie, transfer the complerte encrypted password to the mobile or desktop where the comparisonupdates would happen) and then copied back again a secured file, that was encrypted on the mobile).
Click to expand...
Click to collapse
More discussion on SplashID's own site: http://forum.splashdata.com/showthr...ically-send-in-background-to-splash-id-server

[Q] Exchange Email Device ID Change

Hello,
I am hoping someone can help me out. I have my work email setup on my phone using their webmail address. If I use the standard address, i am required to have Maas360 installed, which is not an option with me being rooted. Anyways, if I have the email program I use, which is either Nine or Mail Wise, setup for ActiveSync, my business server will catch it and block me. So, I have to setup the email app to scan for new emails every X minutes.
The problem I am running into, is I did not know that I had to have ActiveSync turned off, so now my device is banned when using Nine mail. So, I tried the same with Mail Wise, and got banned again. Now, on my third app, AquaMail, I have realized the problem, and its working great. However, I would prefer to use Nine mail. When trying to go back into Nine and recreate my account, i get an error that my device is blocked. I get the same error on Mail Wise. Both list a different Device ID. NineXXXXXXX and MailWiseXXXXXXXX. Is there a way to change this ID? I tried creating a new ID in Titanium Backup and that didn't change the IDs in the mail apps.
Thanks to anyone who can help!
you could ask the app developer (he should know it^^) or ask you sys admin. Normally it isn't that hard to unblock a phone (had done that enough).
I tried that. Sent an email a few days ago and haven't heard back.
Do you got a solution? I have the same problem, thx
Reply after very long time, but maybe could help someone else...
Nine email device ID is stored in a text file /data/data/com.ninefolders.hd3/deviceName. Could be changed with root rights. Changes become effective after re-start of Nine
Hey man, i'm in the same boat.
Thanks so much for sharing the solution.
Can you help me how to setup Nine so that it doesn't get blocked again?
Bump
Bump. I have the same issue. Any solution for non-rooted phones?
DKbluefish said:
Reply after very long time, but maybe could help someone else...
Nine email device ID is stored in a text file /data/data/com.ninefolders.hd3/deviceName. Could be changed with root rights. Changes become effective after re-start of Nine
Click to expand...
Click to collapse
I recently tried to give Nine a DeviceID by amending this file. The Device ID is saved in the file, but Nine is always announcing the hexadecimal equivalent of that ASCII Device ID to the server. So if your approved ID by the server is in hex format, you can reverse it and put that into the file.
If not (which is my case), I would appreciate anyone who can indicate if there is a string that enforces Nine to keep the Device ID of the file without hex-transformation...

App-specific passwords not working anymore under Android 5

Hi!
I am using multi-factor authentication for all my Google accounts.
I am pretty sure that I once used app-specific passwords on my Android (that time version 4 of Android) devices to authenticate.
Yesterday I reset my device and also the app-specific passwords I created earlier. I recreated new app-specific passwords.
Then, after having restarted my freshly reset Android device I tried to add one of my Google account after the other. As part of that I am, for each single account, first asked for my mail address and password. But, for whatever reason the app-specific passwords are just not accepted. Once entered I am just prompted again and asked for my password. Fascinatingly Google seems to recognize that the password is correct, because if I enter a wrong one on purpose I really get an error saying that the password is wrong.
Entering my "main" Google password works and leads me to a UI then asking for my Google Authenticator code.
Are app-specific passwords no longer support for adding my accounts on Android or am I doing something wrong?
Thanks!
P.S.:
Yes I have seen this thread here: http://forum.xda-developers.com/gen...n-specific-password-google-t2964926?nocache=1
But I wonder if there are meanwhile more official news available?

Hacked for sure!!!

Hello group hope you can help me with this most recent conundrum I am what I considered to be a power user but not anywhere near the level of developer I know my way around my phone and that's about it I have basic networking skills. Recently I noticed a few charges on one or two of my accounts such as venmo or cash app those charges quickly escalated to other charges on virtually every single payment platform that I am signed into I'm embarrassed to say it but whoever hacked me got me and I'm positive that it came through my Android phone based on the activity on my Gmail accounts my question is this how can I definitely unequivocally find the footprints in my phone through logcat viewer and or how can I guarantee that they will not be transferred to my new phone once I transfer apps
this sounds like a simple stolen password / email scenario.
Change your passwords for every account you have, use different ones for each or better: a password manager like keepassxc - is gud.
database leaks happen quite often and that's why we use different passwords and 2fa for each of our accounts, if you think this isn't just a stolen identity case and you are woried about it, create a new google identity using a new email ( remember the password manager! ) on your new phone, download all your apps from trusted sources and discard all accounts creating new ones (if you have money/sensitive data, transfer it in the safes possible manor) and do a factory reset on your old device for good measure
Qwerty_in_me said:
this sounds like a simple stolen password / email scenario.
Change your passwords for every account you have, use different ones for each or better: a password manager like keepassxc - is gud.
database leaks happen quite often and that's why we use different passwords and 2fa for each of our accounts, if you think this isn't just a stolen identity case and you are woried about it, create a new google identity using a new email ( remember the password manager! ) on your new phone, download all your apps from trusted sources and discard all accounts creating new ones (if you have money/sensitive data, transfer it in the safes possible manor) and do a factory reset on your old device for good measure
Click to expand...
Click to collapse
thank you for your reply.. what bothers me is google had no record of anything other than my phone logged in. to any account..another tidbit...rules had been created by whomever to send emails relating to my financial stuff to trash and erase. Lastly i had helped a friend log into her cash app one time and her cards had charges from the same period dollar ammount and places...even as recent as today facebook canceled an ad account that wasnt mine but i was paying for it.
Probuilt5337 said:
thank you for your reply.. what bothers me is google had no record of anything other than my phone logged in. to any account..another tidbit...rules had been created by whomever to send emails relating to my financial stuff to trash and erase. Lastly i had helped a friend log into her cash app one time and her cards had charges from the same period dollar ammount and places...even as recent as today facebook canceled an ad account that wasnt mine but i was paying for it.
Click to expand...
Click to collapse
yeah, nuke everything you had and make a new online presance.
I can't say what happened as it sounds like a data breach, but there's some h4xx0r elements there too.
stay safe! Use a password manager and 2fa!
Qwerty_in_me said:
this sounds like a simple stolen password / email scenario.
Change your passwords for every account you have, use different ones for each or better: a password manager like keepassxc - is gud.
database leaks happen quite often and that's why we use different passwords and 2fa for each of our accounts, if you think this isn't just a stolen identity case and you are woried about it, create a new google identity using a new email ( remember the password manager! ) on your new phone, download all your apps from trusted sources and discard all accounts creating new ones (if you have money/sensitive data, transfer it in the safes possible manor) and do a factory reset on your old device for good measure
Click to expand...
Click to collapse
I found the culprit... I had downloaded a copy of miracle thunder from a shady source because I did t want to wait for the paid for edition. Needles to say, again being in a rush, I plugged my personal phone in and remarked "well u get what you pay for this sw is t doing sh*t" ...oh boy was I wrong it was doing plenty.... LESON LEARNED ty everyone for your help.

Categories

Resources