Getting lockscreen password from Redmi Note 9S possible? - General Questions and Answers

Phone information:
It's a Redmi Note 9S (miatoll)
Phone has LineageOS (https://wiki.lineageos.org/devices/miatoll/) on it
Open bootloader
USB debugging is enabled
It is on and the lockscreen password has already been entered a few times
Story:
Got the Redmi Note 9S used for my girlfriend, installed LineageOS on it and unfortunately forgot to disable USB debugging. So it was in the state as described above in "Phone Information". The phone was found by my girlfriend's mother and because the mother didn't know she had such a phone, she wanted to know what she was doing with the phone. So the mother went to a friend and this friend found out the password of the phone within 5min according to the description of my girlfriend. So he really got the password displayed on the PC. The password was very strong and looked like "Z6u$e2%&Fq!k26W2", so he didn't bruteforce it.
I know he did it using fastboot and then maybe installed something over it. My girlfriend said he had a terminal open on his computer with green font color. I was shocked that he did it so easily, which is why I really wanted to know how he did it. Did over 18 hours of research, read through many forums, read up a lot on reddit and it was all about removing the password at most, but not about getting the password.
Question:
How did he do that? Is such a thing even possible?
I would also like to hear your guesses on how he did it or do you think my girlfriend lied to me? but I can't imagine that and I don't know why she would do that. The whole thing was several months ago, but I'm dying to know how!!!

don't believe storytelling. who uses "Z6u$e2%&Fq!k26W2" for lock screen? have you even tried it's possible to set? mine only allows [A-Za-z0-9]
Password storage in Android M
General Android discussion, some focus on Android security. Updates about my WWWJDIC, Kanji Recognzier and Hanzi Recognizer apps.
nelenkov.blogspot.com

aIecxs said:
don't believe storytelling. who uses "Z6u$e2%&Fq!k26W2" for lock screen? have you even tried it's possible to set? mine only allows [A-Za-z0-9]
Password storage in Android M
General Android discussion, some focus on Android security. Updates about my WWWJDIC, Kanji Recognzier and Hanzi Recognizer apps.
nelenkov.blogspot.com
Click to expand...
Click to collapse
The password I wrote was just to symbolize how strong the password was. How the actual password is, I do not know, only that it was 16 characters long. Maybe I got it wrong with my writing, sorry English is not my native language

however, iloveyou$unshine is not a strong password and can be bruteforced with rainbow tables and crypto miners. keep in mind you must enter password every time you grab your phone. you must have paranoid girlfriend

aIecxs said:
however, iloveyou$unshine is not a strong password and can be bruteforced with rainbow tables and crypto miners. keep in mind you must enter password every time you grab your phone. you must have paranoid girlfriend
Click to expand...
Click to collapse
It wasn't such a password. The password was random like in my post. Whether with special characters or not, I do not know. I will ask her again. This was also not her main phone, but should only serve as a second phone to not be tracked so strongly as with stock Android or IOS.
In the meantime, she has a Google Pixel 7 Pro with GrapheneOS. She is not paranoid. She and I are increasingly concerned about our privacy and don't want to be permanently tracked by Google or anyone else.

don't ask her. if you don't believe in bruteforce you should let show you the magic from her mother's friend. maybe he's working for qualcomm or chinas government

aIecxs said:
don't ask her. if you don't believe in bruteforce you should let show you the magic from her mother's friend. maybe he's working for qualcomm or chinas government
Click to expand...
Click to collapse
So the only way that comes to your mind is that he did it via Bruteforce? Do I understand you correctly? and you don't believe that the password was that strong and since I wrote again that it was a relatively strong password you believe that he had the available power to do it?
He doesn't even work in IT, just in a supermarket

Related

IT Security Policy...

I am getting a password requested when I boot up my phone.
This has been bothering me over the last several days.
It turns out it is forced by an exchange account I have set to synchronize with my phone.
Is there any way to force this password request to be ignored?
It is not the exchange ID password, rather it is a new password that exchange requires to be entered on phone boot-up in order to enforce security on my phone.
I already use pattern lock, so this is redundant... not to mention annoying.
I don't know if it can be bypassed. I'd like to know too, because although convenient for me, I will not put my work email on my device if I am forced to password protect my screen, as was the case with my Samsung Epix. I'd prefer to be forced to enter my credentials each time I were to check my work email than to enter a pass to unlock my screen.
a_fuegon said:
I don't know if it can be bypassed. I'd like to know too, because although convenient for me, I will not put my work email on my device if I am forced to password protect my screen, as was the case with my Samsung Epix. I'd prefer to be forced to enter my credentials each time I were to check my work email than to enter a pass to unlock my screen.
Click to expand...
Click to collapse
I would think that the pattern lock would satisfy any need for protecting my email from unauthorized use... a 4 digit numeric code is less secure than the pattern lock, which has 9 points and who knows how many possible combinations.
There have been quite a few discussions about this. Lockpicker seems to work but the developer states only for the HTC Sense.
I'm sure IT managers aren't going through any effort to change their security policies and endure all that's involved to change something they feel is currently effective, regardless of the users sentiments. It's up to us the users to find a way to circumvent or deal with it.
a_fuegon said:
There have been quite a few discussions about this. Lockpicker seems to work but the developer states only for the HTC Sense.
I'm sure IT managers aren't going through any effort to change their security policies and endure all that's involved to change something they feel is currently effective, regardless of the users sentiments. It's up to us the users to find a way to circumvent or deal with it.
Click to expand...
Click to collapse
It is frustrating, given the fact that this is a new change. For the longest time I thought it was something i did while modding my phone.
I will try the "get IT to fix it" route, but I have my doubts anything will come of it.
Otherwise, I will need to get someone to look at lockpicker.
Thanks.
joeybear23 said:
I would think that the pattern lock would satisfy any need for protecting my email from unauthorized use... a 4 digit numeric code is less secure than the pattern lock, which has 9 points and who knows how many possible combinations.
Click to expand...
Click to collapse
The problem with the pattern lock is you can almost always figure out the pattern based on the screen smudge left behind by it.
This could be overcome if the lock screen didn't show up the same way every time. Either larger / smaller scale or in a differnt orientation then the last previous time (sometime upside down and sometimes landscape). Then the smudges would overlap / confuse each other a little bit atleast.
If the e-mail account is a business account and is controlled by an IT group that isn't you, they're protecting their business. They don't want devices out there with no password and an open line to their systems. If you want your phone to sync with their e-mail account, then you have to accept their security requirements. I don't know why everyone thinks that they should be able to bypass an IT groups security requirements simply because they're inconvenienced by a passcode. A middle ground would be a passcode just to read that e-mail account, but I don't think any of the mobile devices offer such a feature. The simplest solution is still simply to not sync that e-mail account or check it as an IMAP account if you can.
Remove IT Security.
There is a way to get rid of this prompt but you will need a SQLDB editor like SQLite and Root explorer or something similar.
if you open up root explorer then go to DBDATA\DATABASES and then browse down to com.android.providers.settings then open settings.db
you will see a list of items, if you go under "system" then scroll 3/4 of the way down you will see the section for ITsecurity policy. [this is what the exchange services enforced on your phone.
if you change the section "devicelock_itpolicy_enabled" from a 1 to a 0 this will obviously disable this policy.
once the change is done you will need to restart your phone and you will notice upon the restart that it does not ask you for the password again.
problem with this is that its a remote policy however and the phone WILL be pushed this information again. [probably after only a day or two of use]
someone could probably write a MCR script to take care of this easily.
I've found the best way for me ot make the change is to copy the settings.db to another folder [like on my SD card] then make the change I need there.. and whenever there is a repush of the policy, I just overwrite the one settings.db with the other.
this is a temporary solution.. but it does get rid of the password policy.
another option maybe setting the timeout value listed below that.. some exchange policy will only check for the "password enabled" portion to be checked. but the default timeout maybe adjusted to something crazy..
default for my org is 40 minutes. [IE 2400 seconds] so adjusting it to 4000 minutes may just make me not worry about this value as much
l7777 said:
If the e-mail account is a business account and is controlled by an IT group that isn't you, they're protecting their business. They don't want devices out there with no password and an open line to their systems. If you want your phone to sync with their e-mail account, then you have to accept their security requirements. I don't know why everyone thinks that they should be able to bypass an IT groups security requirements simply because they're inconvenienced by a passcode. A middle ground would be a passcode just to read that e-mail account, but I don't think any of the mobile devices offer such a feature. The simplest solution is still simply to not sync that e-mail account or check it as an IMAP account if you can.
Click to expand...
Click to collapse
You are correct. They are protecting their interests and spend lots of money doing it.
Now, I did sense a bit of anger or frustration in your post. If so, calm down. These companies have every right to ensure that they deliver their info as securely as possible. Seeing as we do live in a free country, if somone decides they want to circumvent some established policies, then so be it. It'll be them that will have to suffer the consequences of their actions, not you. I for one am annoyed by those security features. Hence the absence of my company email from MY device.
If it bothers you, you do have the right to skip this thread and move on to the next one.
a_fuegon said:
You are correct. They are protecting their interests and spend lots of money doing it.
...
Click to expand...
Click to collapse
What is funny is the fact that requiring a 4-digit password at boot up does very little to keep unwanted eyes looking at email on a phone.
How often do thieves steal a powered-off phone... Plus it takes only seconds to hack through that anyway.
It's like gun laws: it only creates another hoop to jump through for the people playing by the rules.
joeybear23 said:
What is funny is the fact that requiring a 4-digit password at boot up does very little to keep unwanted eyes looking at email on a phone.
How often do thieves steal a powered-off phone... Plus it takes only seconds to hack through that anyway.
It's like gun laws: it only creates another hoop to jump through for the people playing by the rules.
Click to expand...
Click to collapse
I disagree - the idea here is to protect data for certain amount of time - it is a barrier, but not made to be foolproof.
Do you leave your house door unlocked? It takes seconds to smash a window or pry a door, so why lock it? You have an alarm? I can turn off the power and cut the phone line from outside - so i just easily circumvented this too. I can shoot or poison the dog, so that is not perfect either.
I like the PIN Lock, and I wish i could add one to my phone. If you lose your phone, you don't want people getting to your stuff before you can wipe it. The PIN does that it, gives you time.
And it is not that easy to bypass unless you keep your phone in USB Debug mode, and even then Android should prompt for the PIN before mounting drives or granting ADB access - if it doesn't then Android has a major security flaw.
The pattern lock is a joke - as mentioned, i can usually see someones pattern. That coupled with the idea, that although there are 9 starting points, the next point is only one of 3 adjacent points, and so on for the next. If it is really complex it becomes hard to remember - unlike numbers which can be many digits long and easy to remember.
I for one am happy to comply with a PIN lock - it keeps people i know from picking up my phone and rooting around.
alphadog00 said:
...
I for one am happy to comply with a PIN lock - it keeps people i know from picking up my phone and rooting around.
Click to expand...
Click to collapse
So you power down your phone after every use?
Because this PIN lock only comes up at boot up...
and the numbers are visible when you type them in.
a_fuegon said:
There have been quite a few discussions about this. Lockpicker seems to work but the developer states only for the HTC Sense.
Click to expand...
Click to collapse
Didn't work on my captivate, and as I understand it, it shouldn't work on any captivate because it changes Sense-specific settings.
I didn't really read through this thread, but if this is indeed a corporate exchange account, then there is no way around it.
joeybear23 said:
So you power down your phone after every use?
Because this PIN lock only comes up at boot up...
and the numbers are visible when you type them in.
Click to expand...
Click to collapse
On my Samsung Captivate it is requiring it everytime the screen goes blank. With HTC WM phone i was able to set this to 24 hours so it would only ask once a day or on power off then back on. If I could make it prompt just a little less I would be fine with it.
mreevimus said:
On my Samsung Captivate it is requiring it everytime the screen goes blank. With HTC WM phone i was able to set this to 24 hours so it would only ask once a day or on power off then back on. If I could make it prompt just a little less I would be fine with it.
Click to expand...
Click to collapse
Same here. Everytime the phone wakes is a big pain. I set my winmo phone for 2 hours.
I also work from a company that does this. Using the standard email app connection to exchange server, it requires the pin unlock when coming out of standby after a certain number of minutes. VERY annoying.
The best way around it will cost you $20. Using Touchdown, the pin unlock is in the app only. It will only prompt you for it when you actually use the app (again after a certain number of minutes).

Can't unlock device!!

Hi guys, I created this account just for this question so I hope I'm posting in the right section!
On to the problem, I have a SM-G920I S6 that I have locked with my fingerprints. I set my backup password to my gmail one so it would be easy to remember. This morning I went to unlock my phone and the scanner didn't recognise my finger 3 times(happens sometimes as we all know). It asked me for the backup password which I entered and it told me was wrong (3? times). It then asked for my google email and password which it also says is wrong!
I haven't set up the 'Find my mobile' thing yet (idiot) so I can't remotely unlock it. I tried logging in and out of youtube on my pc and that works fine but now I can't access the verification code message because there are multiple messages/texts (on my phone) at this point *sigh* - but it demonstrates that my password is working at least!
I guess the last thing I can do is wipe the phone? but I obviously don't want to do that...
I also only just recently changed my password and enabled 2-step verification (before buying the phone though so that shouldn't break it???) if that helps.
Thanks guys!
Hi again guys, I just want to announce that my phone has magically let me in with the password I've tried dozens of times!
I'm not sure how to delete/end a thread so I just wanted to post a conclusion. Sorry if I haven't done the right thing.

Hi! I seriously might be paranoid

Hi!
Im not sure where to post, plz dont hare if Im postning wrong.
Long story short;
Jan - 2020 bought a new mbp - got hacked. Lost all mail acc etc.
Have had 2 pc wrecked as well.
And My 1+3, iPhone 6s, Nexus 5X.
From three I bought a Xiaomi mi 9 lite.
Poped Up, ~"your no longer admin-isch" after a Day or two.
Okey, is it something with me or old acc or am I in need of medical help was my thought now 6 months later.
Yesterday I've finally had enough and bought and brand new oneplus 7T. After mentioned expercinces I started it in the store, had them set it up and told them about my seriously, now physical worries.
All fine, updated evertyhing turned it off. Had VPN, malwareybytes installed. No wifi, bt, NFC etc activated. Bought free internet with sim-card bc of my maybe mental issues?!
Anyway. Got home, since all above I've done nothing else but visiting play store and https-xda + oneplus forum in app.
That app which I connected to a brand new Gmail (set Up in mentioned store, also why I write here and not there) got acc to My Gmail etc.
Now I found an email changing named mail from "[email protected] to [email protected].
So installed and bought Sd maiden pro. Found worrying similar folders with this bindning sign; "$" though turned the other way. In those folders there are stuff like systemMUI, mui is only Xiaomi??? Or what. This is spinning out of hand now, but Im so freckasouly scared since all above and dont know what anymore.
Have Mcafee internet secururity with VPN since I left the store, got Netguard today since I got worried, and protonVpn since Mcafee dont have a kill switch.
Of we overlook My obvious paranoia, how can I find out of Im out of My head?
I ser things in Sd maiden at /self and emulated like tty and there where a lot exceptions there as well, like /notifications/, /alarms/ etc.
Im at a dead stop now. I must be imagining but since I've Lost all My earlier acc, 6 months of life + a few bucks I am both out of options and Lost Hope.
Anyway I can find out whats okey? I mean, is there supposed to be like 3-4 types of dial apps/logos? 4 kinds of Cinnamon? And why are mi doing here?
Also got 3 yubico key associated with My Google acc.
Quite a few of earlier mentioned phone just lying around which I'd gladly send someone for free IF there are any intresset in investigae, Keep the phone.
Again. What can I do to feel safe? Doctor or any other way?
(Dinner now brb asap)
I didn't read 90% of that.
As an ex security guy, just clean install. Don't restore anything you'll be fine.
The way you're typing is uncomfortable to read, hammering in that you have mental issues and asking confusing unanswerable questions. If you genuinely believe you're paranoid get professional help, there's no harm there, but then regarding the phone you didn't really seem to ask any proper questions. Clean install (or wipe) your OS, and then you're fine. Then step by step setup your phone as you would and try to find the cause of whatever it is that is being suspicious.
That's all I can suggest, but I wish you well, please look after yourself.
Hi,
For your mental health you should be looked at by some proffesional.
For your Tech problem:
Reset the damn Modem change your wifi ssid& password and change also the default password for your modem gateway. If some one hacking you its most likely by your wifi once you got the acces to it you can preety much see any device on the network and if you know your way arround you can do alot with all the devices on network.
Format your hardrive or break into peaces and throw it away buy an ssd/harddisk New OS, firewall on and new account hotmail/apple id and malwarebytes.
Reset your smartphone clean install of OOS and malwarebytes and ofcourse new gamil and two way autehntication activated.

Could a device be tampered with through mail

Hi!
During the last 6 months I've had a real problem with my online security. Bought a MacBook Pro which turned out to have had a root virus installed, infecting my Wi-Fi and thus all units who connected to it.
Took me a while to figure out...
First I had a brand new, out of the box Xiaomi MI 9 that got rooted OTA and I lost admin privliges etc.
From my experiences with that and from what I could gather I think it might have had something to do with this cloak and dagger virus thing, overlay and ****ing permissions hidden and yeah I really dont know, anyway.
Today I still worry about what happened. I know much is irrationell since I no longer have any Wi-Fi, instead I use unlimited data and got my self a new Oneplus 7T.
Not even enabled developer options nor touched the bootloader or usb debugging.
When I first bought it, (I had not been able to browse the internet nor search the info before bc of above) I ofc asked the store if they had any type of deal or knew of for a reliable VPN.
Unfortunatley, due to my lack of research, being locked out of my mail acc etc I ended up with a second license of Mcafee Internet security vpn, proxy.. (Probably have around 10-15 of those, containg True key and virus protection)..
This is where my fear comes in again.
Been trying to find an answer to this but I can't find enough to have piece of mind, or my 6 months "rehab" from the internet and technology made me a noob at googling.
Bear in mind, I also have and had Malwarebytes Premium, now I also use ExpressVPN instead of Mcafee. (Though I think I'll take advantage of this life time deal on Ivacy VPN today.).
Back to my first fear.
- Mcafee Internet security + Malwarebytes.
As mentioned I lost my mail accounts. Lost or lost, I reclaimed them and eventually locked them with a Yubico key.
Trying to retrive the Gmail on my new device I could swear my menu altered and Android all of a sudden allowed other users, ("All users get their own space, acc, etc").
Still having PTSD (how I refer to it) after this spring I wiped it all, didn't use it for a week, wiped it some more, hahah, and I begin to use it again.
I changed pass, added Yubico key, log out of all devices nor do have anything worth stealing. I wonder If there is anything I'd might have missed?
Ex, might be of topic.
When I try to restore my messenger password. I get the mail, enter the code and proceed to change pass when the code no longer is valid, permission #200 something. This ofc gets me thinking that my mail somehow might be forwarding my mail, syncing them? Gdrive have previously been set to auto sync and then I've unknowingly loaded malware in previously used phones.
I'll to summarize my question.
I guess I wonder if it could be dangerous in somehow or possible to install something on my new device through Gmail if I decide to log in again? Just saw my fb acc is schuduled for delete tommorrow, which is why I'm posting here, could use some advice.
While I'm at it I also am curious if there are any good info regarding Android security. Because I would like to flash a new rom without all bloatware, Google stuff etc and keep reading about safetynet and Selinux.
Also, good tip if there any on how to disable ssh, sftp, stf and all that? During this that happened I also found Samsungs Knox good, probably bc it wont work with overlay? Are there anything similar to Knox for a Oneplus? Many questions in one but I also wonder; I know that I once used my NFC security key one the Xiaomi, when it was infected. Could the key somehow been copied? Might be a bit over cautios,
0

Forgot my Secure Folder password S10e

As I wanted to be more secure I set up a password for my secure folder . Luckily my mates turned up, we got a bit drunk , obviously by the morning I had no idea what is my new password.
Spent an hour with some guy from Samsung on the Tutor app , He couldn't help to go around or reset it.
Im using fingerprint for log in but after restart asking the first time password and this where I stuck.
I know my Samsung account password, Im using Samsung Pass if its help.
Samsung Galaxy S10e
SM-970F
Phone status : Official
If there is a way to save the data from there would help already or if you guys can direct me how to reset the password.
Any help would be appreciated, thank you.
Many times these secure folders are very secure. For something like my ancient Casio BOSS there's no way to bypass it short of brute force even after over 30 years.
I hope you backed up that data... and you should as it's always one drop, one near lightning strike, etc away from oblivion.
I set no password on PC bios, backup data drives or my devices because of losing accessibility or the data entirely. If the set password becomes corrupted (I've had it happen) you'll lose access... maybe permanently. It's not just forgetting it that can become a problem.
You right there, thanks. Eventually I will find my password , hopefully just the 30 second wait between trying them a bit killing.. )
GusTheHun said:
You right there, thanks. Eventually I will find my password , hopefully just the 30 second wait between trying them a bit killing.. )
Click to expand...
Click to collapse
At least it doesn't lock you out like Google
Look inside here:
https://us.community.samsung.com/t5/Galaxy-S-Phones/Secure-Folder-pin
jwoegerbauer said:
Look inside here:
https://us.community.samsung.com/t5/Galaxy-S-Phones/Secure-Folder-pin
Click to expand...
Click to collapse
"Page not found"
??
GusTheHun said:
"Page not found"
??
Click to expand...
Click to collapse
Yes the URL was mangled: sorry for this.
Archived - Samsung Community
us.community.samsung.com

Categories

Resources