Skeptics Guide to the Universe Forums

General Discussions => Tech Talk => Topic started by: seamas on April 01, 2019, 04:12:51 PM

Title: Cell Phone question
Post by: seamas on April 01, 2019, 04:12:51 PM
My daughter either forgot or accidentally changed her passcode (swipe) on her cell phone. (and LG Android)

I have searched around for solutions, most say we'd have to restore factory settings and lose data, or try one's hand at what looks like a dubious software solution.

It seems a bit odd to me that there is no easier solution unless I am missing something. Am I?

(there is no "forgot password" button after swiping incorrectly)
Title: Re: Cell Phone question
Post by: Rai on April 01, 2019, 04:25:48 PM
I could not find any solution either apart feom erasing the phone, which does feel excessive.

I suppose she tried just stopping to try for a while and doing something else. For me, these things tend to come back if I stop thinking about them.
Title: Re: Cell Phone question
Post by: Belgarath on April 01, 2019, 07:44:15 PM
There's a perfectly valid security reason for not allowing some alternative method to log into your phone.  If you can do it, someone else can do it, and that violates good security practices.

Title: Re: Cell Phone question
Post by: Eternally Learning on April 01, 2019, 07:51:50 PM
I found this article from 2018 (https://www.techadvisor.co.uk/how-to/google-android/how-unlock-android-phone-forgotten-passcode-3424220/) listing a few ways to go about it.  Not sure if any of them will work in your situation, but it might be worth a shot.  Better than losing everything. You could also try contacting your service provider and/or LG support.  They may have ways to unlock it providing you can prove your identity.
Title: Re: Cell Phone question
Post by: Noisy Rhysling on April 01, 2019, 08:24:21 PM
It might be better to let her lose everything. She might be more careful in the future.

It worked for me.
Title: Re: Cell Phone question
Post by: The Latinist on April 07, 2019, 03:06:50 PM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?
Title: Re: Cell Phone question
Post by: daniel1948 on April 07, 2019, 04:45:22 PM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Because of all the people who will inevitably forget their passcode. ;D
Title: Re: Cell Phone question
Post by: The Latinist on April 07, 2019, 07:41:25 PM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Because of all the people who will inevitably forget their passcode. ;D

If they can't be trusted to remember it, let them find a secure way to store it elsewhere.  Or even write it down on a sticky note; at least they'd be sacrificing only their own security and privacy, not everyone's,
Title: Re: Cell Phone question
Post by: Eternally Learning on April 07, 2019, 10:52:02 PM
I was thinking about this today and trying to draw a parallel with something of physical value that you'd want to keep safe.  Almost nothing of physical value, that can be locked away and then accessed easily and regularly by the owner is ever truly lost when whatever access key is lost.  Most protective devices usually are just good for delaying an attack long enough to make it completely impractical for all but the most determined and knowledgeable to illegally break in.  I think this is true for bike locks, small safes for home use, padlocks, and so on.  If you own the protected item(s), it's usually just a matter of time, effort (skill obviously being a factor too), and money to get into anything because even if you can't overcome the locking mechanism, you can overcome some other aspect of the device to get in.  You might not be able to guess a combination lock, but you can cut the shackle or break whatever the shackle is attached to.  To truly make a physical item irretrievable without the security key, you'd need to create some sort of booby trap to destroy it before someone can break in like the Codex in The DaVinci Code. 

With phones, it's a different game since someone can try and break in without even being in the same zip code as the device, but many of the same principles of recovery hold true.  If something is important enough to secure, chances are that it's important enough that you wouldn't want to risk losing it forever due to carelessness.  At the same time, any tool available for recovery without the passcode is now potentially a tool for a thief to take it without the passcode as well.  It'd be like a safe company creating a master combination that works on every lock so that if you forget yours, they can unlock it for you; not hard to imagine that code getting leaked and thereby compromising every single product they sell.  Is there a digital analog for cutting a safe open with a jackhammer; something that cannot be done under normal attempts to steal?
Title: Re: Cell Phone question
Post by: Belgarath on April 08, 2019, 08:49:04 AM
There really isn't.  If you listen to any reputable cryptologist they will tell you that any hole you put in it is a hole that a bad guy can use.

The method right now to get past the passcode is a brute force attack on the phone, you theoretically could get into it by just guessing passcodes until you hit the right one.

You can get a good estimation of how long it will take here:

https://www.grc.com/haystack.htm
Title: Re: Cell Phone question
Post by: daniel1948 on April 08, 2019, 10:28:05 AM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Because of all the people who will inevitably forget their passcode. ;D

If they can't be trusted to remember it, let them find a secure way to store it elsewhere.  Or even write it down on a sticky note; at least they'd be sacrificing only their own security and privacy, not everyone's,

That's what I do. But companies have to provide what consumers want, or they'll lose market share. And consumers are people. And people are dumb. Maybe phone companies should offer two versions of their phones: One version that if you lose your pass code, the phone is a brick and you have to throw it away, and another version that is recoverable by some method that is reasonably secure.

One reason I think cryptocurrency is impractical is that if you lose your key, you've lost your money. If I lose my bank password I can visit the bank, establish my identity, and regain access to my money. Someone who can convince the bank they're me can rob me. But then there are other safeguards.

There are always trade-offs.
Title: Re: Cell Phone question
Post by: The Latinist on April 08, 2019, 11:31:45 AM
Maybe phone companies should offer two versions of their phones: One version that if you lose your pass code, the phone is a brick and you have to throw it away, and another version that is recoverable by some method that is reasonably secure.

The phone will not be a brick.  You just have to restore it and lose the data that is on it.  That is literally the only way to ensure that only you can have access to the data on your phone.

That said, you can and should have your data backed up so that if that happens you can always restore it.
Title: Re: Cell Phone question
Post by: Captain Video on April 08, 2019, 11:33:43 AM
And use last pass or similar from now on.
Title: Re: Cell Phone question
Post by: seamas on April 08, 2019, 02:40:45 PM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Sure, but Forget your bank or credit card health plan password and you can get a new one by means of verification. I would think that a service provider would be able to do the same.
Title: Re: Cell Phone question
Post by: Captain Video on April 08, 2019, 03:12:05 PM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Sure, but Forget your bank or credit card health plan password and you can get a new one by means of verification. I would think that a service provider would be able to do the same.

I don't trust apple nor any of the droid companies to have my personal unlock code.  Last Pass has a business model ready to handle this, I don't think they can see any of my codes/passwords other than the master. I could see a phone company doing the same but they haven't yet as far as I know.
Title: Re: Cell Phone question
Post by: daniel1948 on April 08, 2019, 09:10:34 PM
... you can and should have your data backed up so that if that happens you can always restore it.

That's the crux of it. It always baffles me when people lose data because of a crash or a hacker, and they have not backed up. I remember when backing up your computer was an hour-long process of inserting one 5 1/2 inch floppy after another and waiting for each to write. Now it's a couple of clicks or just set it to happen on a schedule. Or with a phone, it happens automatically unless you tell it not to or never bother to set it up in the first place.

But yet people don't back up their data.
Title: Re: Cell Phone question
Post by: brilligtove on April 08, 2019, 11:48:59 PM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Sure, but Forget your bank or credit card health plan password and you can get a new one by means of verification. I would think that a service provider would be able to do the same.

It isn't obvious, but these are quite different situations. In the case of the bank of credit card you have a third party that controls your access to a resource that they own. In the case of the phone, you are the only one who has control over access to a resource you own. YOU are the bank in this scenario.

If you want a third party to be able to unlock your phone, you essentially give them access to everything you can access through that device. Who made you phone? Apple, or Samsung, or Huawei, or Google? If they can circumvent your password, they have access to everything that your phone has access to. Oh, and that minimum wage employee in India or Brazil who got around your password? She could too.

ETA: This is a little hyperbolic and inaccurate but not wrong - in the same way that the models of the atom that you learned first were wrong, but not *wrong* wrong.
Title: Re: Cell Phone question
Post by: daniel1948 on April 09, 2019, 10:25:23 AM
^ Good points.

I like The Latinist's idea: A phone with no recovery method, and back up your data. Of course then you have the issue of the security of your back-up.  ::)  Do you store it locally? What happens if you lose that password? Do you store it in the cloud and trust the cloud company? And what about that password?

I don't really have anything important on my phone. My phone book can be replaced. My apps can be replaced. Pictures on my phone are just copies so I can show people.

Title: Re: Cell Phone question
Post by: bimble on April 09, 2019, 10:44:47 AM
unless you're expecting these people to be breaking into your accounts from your home, just keep your passwords on a piece of paper near your computer...
Title: Re: Cell Phone question
Post by: Belgarath on April 09, 2019, 11:36:13 AM
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Sure, but Forget your bank or credit card health plan password and you can get a new one by means of verification. I would think that a service provider would be able to do the same.

I don't trust apple nor any of the droid companies to have my personal unlock code.  Last Pass has a business model ready to handle this, I don't think they can see any of my codes/passwords other than the master. I could see a phone company doing the same but they haven't yet as far as I know.

Minor nit:

LastPass cannot derive your master password, nor do they know it at all.  They only know an algorithmic hash of it which cannot be reverse engineered in a reasonable amount of time.  Now, they DO allow for a method to recover your account, but that does weaken the protection provided by last pass.  They apply a waiting period and do their best to ensure that it REALLY is you trying to gain access.  But the way they do this is that they essentially have a SECOND password to your account that allows them in if certain conditions are met.

https://support.logmeininc.com/lastpass/help/recover-your-lost-master-password-lp020010

BTW: I strongly strongly recommend that you DISABLE any sort of account recovery using SMS on ANY account you have.  SMS is totally insecure.  SMS messages are NOT encrypted end to end in transit and the encryption that IS used (from cell tower to your phone) is very weak.

You should never use SMS as a second factor except if you're forced to do so by the provider.  Having it as a second factor (but NOT an account recovery) is a bit more secure, but it's much better to use OTP apps.
Title: Re: Cell Phone question
Post by: The Latinist on April 09, 2019, 12:26:48 PM
On my phone I use iCloud backup, a strong passphrase, and TouchId. My phone is set to wipe its memory after 10 unsuccessful passphrase attempts.  I keep all of my passwords (randomly-generated and long) in a Lastpass vault with secondary authentication through an app on my phone.  There is no passcode recovery option on my Lastpass vault.
Title: Re: Cell Phone question
Post by: daniel1948 on April 09, 2019, 12:39:54 PM
LastPass cannot derive your master password, nor do they know it at all.  They only know an algorithmic hash of it which cannot be reverse engineered in a reasonable amount of time.  Now, they DO allow for a method to recover your account, but that does weaken the protection provided by last pass.  They apply a waiting period and do their best to ensure that it REALLY is you trying to gain access.  But the way they do this is that they essentially have a SECOND password to your account that allows them in if certain conditions are met.

So a crooked employee or someone who hacks Lastpass could get that second password and get into your accounts?

The whole concept seems to involve trade-offs: It lets you have unique, long, very secure passwords for your log-ins to all your web sites, but it means that anybody who hacks your Lastpass account gets access to everything. It puts all your eggs in one basket.

And of course if you are using fingerprint ID, a bad guy could just force your finger onto the sensor. Face ID even easier. Not to mention the Hollywood super-villain solution of cutting off your finger.
Title: Re: Cell Phone question
Post by: daniel1948 on April 09, 2019, 12:51:38 PM
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

I figure no lock is perfect. The lock just makes it more difficult to open the front door than to smash the window. A password to your accounts just has to make it more difficult to access the account via the password than to convince the account administrator that the thief is you. You probably don't need a 50-character random string to achieve that. But with a password manager, a thief only has to obtain one password to get access to all your accounts.
Title: Re: Cell Phone question
Post by: The Latinist on April 09, 2019, 03:20:50 PM
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

My password vault is encrypted on my computer/phone using 256-bit AES encryption with a key that never leaves my computer.  LastPass never sees the unencrypted vault and does not have access to my key.  They store only the encrypted vault, which they allow me to download if I enter my password.

They also never see my password.  On their server, they store only a cryptographic hash of my password (the result of a one-way function performed on my password on my computer).  And that hash is again hashed on their servers before storage.

At worst someone at LastPass or a hacker could gain access to my encrypted password vault or the hashed version of my password (which, even if they could find a hash collision, would only give them the ability to download my encrypted password vault, not the ability to decrypt that vault.  Without my encryption key, the last estimates I saw were on the order of 10e38 years to brute force.
Title: Re: Cell Phone question
Post by: brilligtove on April 09, 2019, 04:27:51 PM
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

I figure no lock is perfect. The lock just makes it more difficult to open the front door than to smash the window. A password to your accounts just has to make it more difficult to access the account via the password than to convince the account administrator that the thief is you. You probably don't need a 50-character random string to achieve that. But with a password manager, a thief only has to obtain one password to get access to all your accounts.

There are a few problems with this assessment.

"I figure no lock is perfect."
Digital locks are effectively perfect. They make it impossible to open the door in the lifetime of the universe. There is no window to break when the door doesn't open. There is no wall to cut through. If you have a strong master password, you could publish your entire password vault on the internet for everyone to see with complete confidence that it will never every be decrypted by anyone. The information is utterly and completely protected unless you have the secret key that turns it from noise to signal.

The services that LastPass provides are, in order of priority:
1. Locally installed programs that store passwords in a local secure file.
2. A service that synchronizes local secure files across devices.
3. A web interface providing secure access to an online copy of the secure file.

"A password to your accounts just has to make it more difficult to access the account via the password than to convince the account administrator that the thief is you.
The thousands of companies that have had customer data stolen are able to unlock your account because they have essentially unfettered access to your data. Your data is not protected: your password is protecting access to your data. A criminal can use social engineering to circumvent the password on your account because the employees have their own access to your data.

A system like LastPass is utterly invulnerable to this sort of social hacking because the lock is perfect and they do not have the key.

"But with a password manager, a thief only has to obtain one password to get access to all your accounts."
This is true, as far as it goes. It just ignores the sad reality of human capacity to use passwords. Specifically, we can't remember unique passwords for every site, and we can't remember passwords that have enough entropy to be useful protection. In practice, we use passwords that are easy to remember - which means they are easy to hack. And because we can't manage hundreds of unique passwords, chances are very good that learning one of a person's passwords means learning many of them - maybe all of them.

So sure, it's true that a hacker who gets a hold of my LastPass master password has access to everything - but that hacker has to have physical access to me to do that, and at that point passwords are not going to protect anything. In the real world a password manager is vastly superior protection.
Title: Re: Cell Phone question
Post by: seamas on April 09, 2019, 05:24:53 PM
OK thanks all.

Just to clarify, this is not my phone, it is my 12 year old daughter's phone. Just about all the data was just photos, so i'll just have to do a factory reset. She's only had it since October or so.

The strange thing is, she is 100% certain that she is keying in the right swipe code and that she hasn't changed it.
Title: Re: Cell Phone question
Post by: wastrel on April 09, 2019, 06:36:11 PM
"But with a password manager, a thief only has to obtain one password to get access to all your accounts."
This is true, as far as it goes. It just ignores the sad reality of human capacity to use passwords. Specifically, we can't remember unique passwords for every site, and we can't remember passwords that have enough entropy to be useful protection. In practice, we use passwords that are easy to remember - which means they are easy to hack. And because we can't manage hundreds of unique passwords, chances are very good that learning one of a person's passwords means learning many of them - maybe all of them.

So sure, it's true that a hacker who gets a hold of my LastPass master password has access to everything - but that hacker has to have physical access to me to do that, and at that point passwords are not going to protect anything. In the real world a password manager is vastly superior protection.

That's why I use "password" as my master password, so I'll never forget it.
Title: Re: Cell Phone question
Post by: daniel1948 on April 09, 2019, 07:43:46 PM
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

My password vault is encrypted on my computer/phone using 256-bit AES encryption with a key that never leaves my computer.  LastPass never sees the unencrypted vault and does not have access to my key.  They store only the encrypted vault, which they allow me to download if I enter my password.

They also never see my password.  On their server, they store only a cryptographic hash of my password (the result of a one-way function performed on my password on my computer).  And that hash is again hashed on their servers before storage.

At worst someone at LastPass or a hacker could gain access to my encrypted password vault or the hashed version of my password (which, even if they could find a hash collision, would only give them the ability to download my encrypted password vault, not the ability to decrypt that vault.  Without my encryption key, the last estimates I saw were on the order of 10e38 years to brute force.

Someone upthread mentioned that if you choose to implement it, Lastpass has a backup password. My question was whether they create this password for all accounts and just hide it if you don't implement that avenue of recovery, or whether they don't even create it unless you implement that recovery avenue.

The only thing Lastpass does is encrypt data on your phone and, optionally, store the encrypted file. But the whole point of strong passwords is to protect access to accounts elsewhere, such as your bank. There are many avenues a thief might use to try to get access to your bank account. One is to guess or otherwise obtain your password. Let's assume that Lastpass makes it impossible for them to do this. They still have other avenues of attack: Pretend to be you, hack the bank, hack e.g. Target who has (or had) your credit card information on insecure severs. Another way is to kidnap you and hurt you until you give up the information.

If your password is strong enough that any of these other routes are easier for a thief, then your password is as good as a perfect, uncrackable password. No lock is perfect because they can always torture you until you give them the key. An uncrackable password is no better than a password that's good enough that the thief would rather use physical force against you, or use other, subtler methods of impersonating you. And it's been demonstrated that impersonating people is not all that hard, in most cases. If a really strong password was all you need, there would be no market for bulletproof cars.

Just as fingerprint ID makes your phone less secure by creating an additional way in (you can use the fingerprint OR the passcode) so it seems to me that password programs are providing one more route into your accounts.

Of course, for most people it's moot because they use such bad passwords. I had a friend whose password was her dog's name. And she was in other respects an extremely intelligent person. (I know her password because she told me, so that I could get some work-related information she wanted me to have access to.) As far as I know, she didn't change her password after the work was done. Though I never tried it after that.

Title: Re: Cell Phone question
Post by: daniel1948 on April 09, 2019, 07:52:41 PM
... because we can't manage hundreds of unique passwords, chances are very good that learning one of a person's passwords means learning many of them - maybe all of them.

So sure, it's true that a hacker who gets a hold of my LastPass master password has access to everything - but that hacker has to have physical access to me to do that, and at that point passwords are not going to protect anything. In the real world a password manager is vastly superior protection.

First, I only have 2 or 3 sites that any hacker would have any motive to attack, and I can easily remember three very difficult-to-guess passwords. Other sites don't need difficult passwords because there's nothing of any value on them. And he would not need physical access to you: He'd just need to know your Lastpass log-in name and password. I can certainly see that Lastpass has real utility for someone who needs to protect a lot of accounts. I just think there are trade-offs, and that no system is perfect.

But I note that you complain that re-use of passwords is a problem because a person who gets one of your passwords will have access to many or all of your accounts. But that's precisely my complaint about password managers: If a thief gets that one master password, he has access to ALL your accounts.
Title: Re: Cell Phone question
Post by: arthwollipot on April 09, 2019, 08:59:36 PM
First, I only have 2 or 3 sites that any hacker would have any motive to attack...

Any site is worth hacking, if your intent is to set up a zombie cloud to run DDOS attacks. The only prerequisite for that is that it be on the internet.
Title: Re: Cell Phone question
Post by: The Latinist on April 09, 2019, 09:30:23 PM
And he would not need physical access to you: He'd just need to know your Lastpass log-in name and password.

No. He would need to obtain a passphrase that exists nowhere in the world except inside my mind.  It has never been written down or spoken and has never been sent in the clear on any network. The only way he could obtain my passphrase would be to extract it from me through physical violence.  And once he had done that, he would have to have physical access to my cell phone as well as either my physical fingerprint or another unique long passphrase and another pin code for my 2-factor authenticator in order to log into LastPass to obtain my password vault, since it requires two-factor authentication. Alternatively, he could turn off two-factor authentication, but he would need access to an E-mail account that is secured by another unique long, strong, random password...one which not even I know.
Title: Re: Cell Phone question
Post by: daniel1948 on April 09, 2019, 10:43:10 PM
My point is that even with a far lesser degree of password security it would still be easier for him to torture you than to break your password. Once finding your password exceeds a certain degree of difficulty, there's no advantage in making it more difficult because the thief who wants it badly enough will already have turned to more drastic methods, or methods that don't involve accessing the phone at all.

It's like putting 25 deadbolts on your door. Once you've gotten to 2 or 3 the thief is just going to break a window instead. I have a little key safe with a spare key to my house in case I lock myself out. A thief could break open the key safe using some heavy blacksmith type equipment. But it would be easier to kick the door down, so the key safe is all the security I need for my spare key.
Title: Re: Cell Phone question
Post by: Belgarath on April 10, 2019, 05:44:11 AM
My point is that even with a far lesser degree of password security it would still be easier for him to torture you than to break your password. Once finding your password exceeds a certain degree of difficulty, there's no advantage in making it more difficult because the thief who wants it badly enough will already have turned to more drastic methods, or methods that don't involve accessing the phone at all.

It's like putting 25 deadbolts on your door. Once you've gotten to 2 or 3 the thief is just going to break a window instead. I have a little key safe with a spare key to my house in case I lock myself out. A thief could break open the key safe using some heavy blacksmith type equipment. But it would be easier to kick the door down, so the key safe is all the security I need for my spare key.


If you read the link I posted, it makes clear that no one at last pass has your secondary password.  It works the same way as your primary password but it’s a random client side generated passphrase that you print out and secure.  You can chose not to do that.  In which case you must remember the master. 

The point of making it as strong as possible is NOT because someone might commit violence against you but rather to prevent dictionary and other brute force attacks against the hashed and salted password blob.  This actually happened to lastpass a few years ago where hackers gained access to users password blobs.  This is essentially useless to the hackers for anyone with a strong password.  Using whatever scenario you want it’s going to take trillions of years guessing 100 billion passwords per second to guess my master password. 

Wastrel’s password, on the other hand, ..........


Sent from my iPhone using Tapatalk Pro
Title: Re: Cell Phone question
Post by: daniel1948 on April 10, 2019, 08:11:51 AM
... The point of making it as strong as possible is NOT because someone might commit violence against you but rather to prevent dictionary and other brute force attacks against the hashed and salted password blob.

You miss my point: If you make it hard enough that the thief cannot get the password by guessing or by brute force, he will turn to other methods. Violence, impersonation, etc. The point of difficulty where the thief turns away from guessing or brute force is the point beyond which making the password more secure no longer has any effect.

Example:

If it would take the thief a decade to brute-force my password and it would take a billion years for him to brute-force yours, our two passwords are effectively of equal security. In either case, he will either look for another target, or turn to other methods. A ten-year password is effectively just as good as a billion-year password.
Title: Re: Cell Phone question
Post by: brilligtove on April 10, 2019, 12:00:39 PM
I think we all get your point, Daniel. I think you're missing our point(s).
Title: Re: Cell Phone question
Post by: Billzbub on April 10, 2019, 12:35:45 PM
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?
Title: Re: Cell Phone question
Post by: wastrel on April 10, 2019, 01:37:32 PM
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

For my bank I  have touch ID, which does add an insecurity. 

If I need to enter a password on my phone that I don't have this configured, I go to LastPass (I have LastPass configured for touch-ID, Again this adds a layer of insecurity, if someone had access to me and my phone and could compel me to open it, but I acknowledge and accept this risk), search for the site, and tap it.  This loads the password to clipboard, and I switch back to app or page and paste. 

10 seconds maybe, if I need to enter a password.

Title: Re: Cell Phone question
Post by: The Latinist on April 10, 2019, 01:53:51 PM
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.
Title: Re: Cell Phone question
Post by: wastrel on April 10, 2019, 02:05:44 PM
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.

My phone doesn't have that in-app LastPass integration.  Is that on the iPhone?  Am I missing some setting?
Title: Re: Cell Phone question
Post by: Billzbub on April 10, 2019, 03:46:18 PM
My password vault is encrypted on my computer/phone using 256-bit AES encryption with a key that never leaves my computer.  LastPass never sees the unencrypted vault and does not have access to my key.  They store only the encrypted vault, which they allow me to download if I enter my password.

So even if you lost your computer and phone in a freak meteor impact, you can just log into LastPass with your password and get your vault back?  I may have to look into this.  I have so many accounts in so many places.  I would just have to leave Netflix out of it so my dad can continue to use my account (I pay for extra simultaneous connections).

When choosing your pass phrase for LastPass, does it give you a bunch of crazy restrictions about needed capital letters and special characters?
Title: Re: Cell Phone question
Post by: Billzbub on April 10, 2019, 03:57:33 PM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.
Title: Re: Cell Phone question
Post by: The Latinist on April 10, 2019, 05:15:31 PM
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.

My phone doesn't have that in-app LastPass integration.  Is that on the iPhone?  Am I missing some setting?

Apps have to be written to integrate password managers, and not all do so.  One of my banks does; the other has built-in TouchID support.

By the way, you can fairly safely copy and paste from the LastPass iPhone app.  Copied passwords stay in the buffer only until they are pasted and time out after two minutes if they aren’t pasted.
Title: Re: Cell Phone question
Post by: wastrel on April 10, 2019, 08:03:23 PM
So if you are using LastPass, how long does it take you to log into your bank?  Do you have to log into last pass on your phone, select your bank, read the difficult-to-memorize password, and then type it into your bank's web site?

I sign into my banking app, tap the password manager icon, authenticate with TouchID, and it inserts my password.  I never see the password.  This also works for any website: I click the username field and I am offered a username above the keyboard; I tap on that, authorize with TouchID, and it logs me in.

My phone doesn't have that in-app LastPass integration.  Is that on the iPhone?  Am I missing some setting?

Apps have to be written to integrate password managers, and not all do so.  One of my banks does; the other has built-in TouchID support.

By the way, you can fairly safely copy and paste from the LastPass iPhone app.  Copied passwords stay in the buffer only until they are pasted and time out after two minutes if they aren’t pasted.

That's how I do it now, was just confused that you had it in-app.
Title: Re: Cell Phone question
Post by: arthwollipot on April 10, 2019, 09:53:31 PM
Apps have to be written to integrate password managers, and not all do so.

Really? I'm fairly sure that I've had apps that didn't incorporate password manager support start to support it after an update to LastPass when the app itself didn't update.

Obviously I could be wrong about that.
Title: Re: Cell Phone question
Post by: Captain Video on April 10, 2019, 11:15:44 PM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

I also have a password manager device. It stores all your passwords on a small device a little larger than a thumb drive with a small led screen. You plug in with usb and it acts like a keyboard.  There is a wheel for inputing your pin code which opens it then you scroll through your passwords and pick the one you want then it automatically types it into your device (you don't see the password) . It works on all android, windows, apple and linux devices.

I got it from a company in England selling on etsy. I cant remember the name but when I get home ill look it up for you.
Title: Re: Cell Phone question
Post by: The Latinist on April 11, 2019, 12:16:41 AM
I need to take that back: as far as I can tell, in-app password manager usage no longer requires application support.  All you need to do is turn it on and select your preferred password manager in in Settings > Passwords & Accounts > Autofill Passwords.  I've just tested it in all of my banking apps and it works exactly the same as in Safari: click in the username or password field and the option shows up at the top of the keyboard.  I've just tried it in Citi, BofA, Fandango, Home Depot, Amazon, NameCheap, Geico, eBay, myAT&T, DirecTV NOW, and Netflix and it worked in every case.

Frankly, I think I've been doing this for months without even noticing it. Support for password managers in apps at the OS level was added in iOS 12 in October of last year.
Title: Re: Cell Phone question
Post by: wastrel on April 11, 2019, 11:05:46 AM
Ok that’s awesome. Thanks for checking!!
Title: Re: Cell Phone question
Post by: Belgarath on April 11, 2019, 09:00:41 PM
I need to take that back: as far as I can tell, in-app password manager usage no longer requires application support.  All you need to do is turn it on and select your preferred password manager in in Settings > Passwords & Accounts > Autofill Passwords.  I've just tested it in all of my banking apps and it works exactly the same as in Safari: click in the username or password field and the option shows up at the top of the keyboard.  I've just tried it in Citi, BofA, Fandango, Home Depot, Amazon, NameCheap, Geico, eBay, myAT&T, DirecTV NOW, and Netflix and it worked in every case.

Frankly, I think I've been doing this for months without even noticing it. Support for password managers in apps at the OS level was added in iOS 12 in October of last year.

I still occasionally run across an app that doesn't FULLY support the iOS 12 functionality.  In which case you just have to search it and it will autofill the one you select.
Title: Re: Cell Phone question
Post by: brilligtove on April 11, 2019, 09:39:03 PM
Yeah, password manager integration took a huge leap forward on iOS a while back. TBH if you're all-Apple, using the password manager built into iOS is pretty reasonable. I think it can use your iCloud to sync across other Apple devices. I live a hetero life with iOS, Android, Windows, and MacOS in my home, so I can't rely on that.

Billz, the work restrictions suck. If LastPass.com is not blacklisted you can always go there to log in and copy/paste a password from your vault. If your work is that restrictive though? They're likely monitoring (man-in-the-middle) everything you do, so none of your info would be safe. You might have to do your banking on breaks. :(
Title: Re: Cell Phone question
Post by: The Latinist on April 11, 2019, 09:41:37 PM
I need to take that back: as far as I can tell, in-app password manager usage no longer requires application support.  All you need to do is turn it on and select your preferred password manager in in Settings > Passwords & Accounts > Autofill Passwords.  I've just tested it in all of my banking apps and it works exactly the same as in Safari: click in the username or password field and the option shows up at the top of the keyboard.  I've just tried it in Citi, BofA, Fandango, Home Depot, Amazon, NameCheap, Geico, eBay, myAT&T, DirecTV NOW, and Netflix and it worked in every case.

Frankly, I think I've been doing this for months without even noticing it. Support for password managers in apps at the OS level was added in iOS 12 in October of last year.

I still occasionally run across an app that doesn't FULLY support the iOS 12 functionality.  In which case you just have to search it and it will autofill the one you select.

I think that most of the time when this happens it’s because the login domain is not the same in the app.  In the DirecTV Now app, for instance, the logins are handled by some sort of cloud services provider rather than directvnow.com.  I added it as an equivalent domain in advanced settings and it now works.
Title: Re: Cell Phone question
Post by: Billzbub on April 12, 2019, 01:57:46 PM
I'm reading about LastPass on their web site, which is not blocked from my work.  They mention auto fill.  If I happen to swipe your phone, The Latinist, and crack your finger print, do I then have access to all your LastPass accounts because I can click on a button to autofill them?
Title: Re: Cell Phone question
Post by: wastrel on April 12, 2019, 02:01:58 PM
I'm reading about LastPass on their web site, which is not blocked from my work.  They mention auto fill.  If I happen to swipe your phone, The Latinist, and crack your finger print, do I then have access to all your LastPass accounts because I can click on a button to autofill them?

Yes

ETA:
I have LastPass configured for touch-ID, Again this adds a layer of insecurity, if someone had access to me and my phone and could compel me to open it, but I acknowledge and accept this risk

All security has a balance between risk and convenience,  You could disable touchID if this is a concern.  It isn't to me.
Title: Re: Cell Phone question
Post by: The Latinist on April 12, 2019, 02:23:08 PM
I'm reading about LastPass on their web site, which is not blocked from my work.  They mention auto fill.  If I happen to swipe your phone, The Latinist, and crack your finger print, do I then have access to all your LastPass accounts because I can click on a button to autofill them?

Yes, though you will need to get the fingerprint twice to get to them.  And three failed fingerprint attempts either will lock you out (either at the lock screen or in the browser).  I also can lock and wipe my phone remotely at a moment's notice, so I judge the risk of a physical attack on my phone minimal.
Title: Re: Cell Phone question
Post by: Captain Video on April 16, 2019, 11:18:07 AM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

https://youtu.be/w2RzVxxr5gM

https://www.themooltipass.com/

Title: Re: Cell Phone question
Post by: arthwollipot on April 16, 2019, 10:44:23 PM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.
Title: Re: Cell Phone question
Post by: Captain Video on April 17, 2019, 12:16:13 AM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.

So don't connect it to your computer, you can still access the passwords and type them in manually.

Something like this would be worth attempting to get an approval. Everyone would be able to have more secure passwords without going online.
Title: Re: Cell Phone question
Post by: arthwollipot on April 17, 2019, 02:15:16 AM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.

So don't connect it to your computer, you can still access the passwords and type them in manually.

Something like this would be worth attempting to get an approval. Everyone would be able to have more secure passwords without going online.

I just use LastPass on my phone. I access the passwords and type them in manually. I don't need to carry around an additional device.
Title: Re: Cell Phone question
Post by: Captain Video on April 17, 2019, 11:27:06 AM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.

So don't connect it to your computer, you can still access the passwords and type them in manually.

Something like this would be worth attempting to get an approval. Everyone would be able to have more secure passwords without going online.

I just use LastPass on my phone. I access the passwords and type them in manually. I don't need to carry around an additional device.

Which is why I was responding to billz who is not permitted to use a phone, im not sure why you responded at all if you were not interested.
Title: Re: Cell Phone question
Post by: arthwollipot on April 17, 2019, 10:57:24 PM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.

So don't connect it to your computer, you can still access the passwords and type them in manually.

Something like this would be worth attempting to get an approval. Everyone would be able to have more secure passwords without going online.

I just use LastPass on my phone. I access the passwords and type them in manually. I don't need to carry around an additional device.

Which is why I was responding to billz who is not permitted to use a phone, im not sure why you responded at all if you were not interested.

Because I didn't realise or had missed that the device could be used without having to connect it to your computer. I was attempting to point out that not all environments allow connection of random USB devices. I didn't, and don't, think it would be too much of a stretch to conclude that an environment that didn't allow mobile phones also would not allow USB devices to be connected to networked computers. That having been cleared up, I'll shut up now if you like.
Title: Re: Cell Phone question
Post by: Captain Video on April 18, 2019, 12:53:01 AM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.

So don't connect it to your computer, you can still access the passwords and type them in manually.

Something like this would be worth attempting to get an approval. Everyone would be able to have more secure passwords without going online.

I just use LastPass on my phone. I access the passwords and type them in manually. I don't need to carry around an additional device.

Which is why I was responding to billz who is not permitted to use a phone, im not sure why you responded at all if you were not interested.

Because I didn't realise or had missed that the device could be used without having to connect it to your computer. I was attempting to point out that not all environments allow connection of random USB devices. I didn't, and don't, think it would be too much of a stretch to conclude that an environment that didn't allow mobile phones also would not allow USB devices to be connected to networked computers. That having been cleared up, I'll shut up now if you like.

I didn't mean for that post to sound so sarcastic so I guess I deserved that last comment, sorry

Title: Re: Cell Phone question
Post by: arthwollipot on April 18, 2019, 01:56:47 AM
Crap, LastPass requires you to install a browser extension.  My work won't allow that, and I'm not allowed to have my phone, either.  So basically, I couldn't manage any finances from work.  Well played, work.  Well played.

this is the password manager hardware I mentioned earlier. It works just as the video claims, I dont use it as much as I thought I would but its a great backup for me, this mite be what you need for work.

My employer (the Australian Government) does not allow non-preapproved devices to be connected to network-connected computers.

So don't connect it to your computer, you can still access the passwords and type them in manually.

Something like this would be worth attempting to get an approval. Everyone would be able to have more secure passwords without going online.

I just use LastPass on my phone. I access the passwords and type them in manually. I don't need to carry around an additional device.

Which is why I was responding to billz who is not permitted to use a phone, im not sure why you responded at all if you were not interested.

Because I didn't realise or had missed that the device could be used without having to connect it to your computer. I was attempting to point out that not all environments allow connection of random USB devices. I didn't, and don't, think it would be too much of a stretch to conclude that an environment that didn't allow mobile phones also would not allow USB devices to be connected to networked computers. That having been cleared up, I'll shut up now if you like.

I didn't mean for that post to sound so sarcastic so I guess I deserved that last comment, sorry

I understand.  ;D
Title: Re: Cell Phone question
Post by: Swagomatic on April 19, 2019, 11:54:39 AM
So, I just got a new Samsung S10e, and I'm having trouble with the Patreon app.  I had an iPhone before, and I was using the Patreon app to listen to all of my subscribed to podcasts, but on the S10e, the app does not play podcasts, and when I download a podcast, it goes into google music or something.  Does anyone have any idea of what may be going on?  I'm not quite dialed into the Android environment after five years with an iPhone.
Title: Re: Cell Phone question
Post by: brilligtove on April 19, 2019, 12:06:50 PM
There may be a setting in Google Music or in the Google Podcast app that makes one of them the default player for podcasts. I know I had to tell Google Music that I did not want to include my PocketCast podcasts in my music library. That may be part of the problem, at least.
Title: Re: Cell Phone question
Post by: Swagomatic on April 19, 2019, 12:20:11 PM
It's weird.  I got it to play some stuff yesterday, and this morning, I was able to listen to about 10 minutes of a podcast, then it stopped.  I am definitely looking at the default settings.  Thanks
Title: Re: Cell Phone question
Post by: brilligtove on April 22, 2019, 02:48:57 PM
On  the password question: https://www.ctvnews.ca/sci-tech/more-than-23-million-people-have-used-the-world-s-most-hackable-password-1.4389258