|
|
ForgotPassword
What to do if you forget your password
If you forget your password, your data is not recoverable. Encryption and Authentication is different - encryption uses your password to generate an encryption key (or keys for asymetric encryption, however Lockbox uses symmetric AES128) to encode and decode your data. The key can't be generated w/o the password - hence the security of encryption.
For authentication like logging in to a website, you can often reset your password. This is because you simply need to prove knowledge of what it is, which is accomplished through various methods, but not necessary to retrieve the data. If such a reset method existed, it would be a huge security hole.
Currently in 0.5 of Lockbox, you have to delete your data to reset your password. If you installed from the repository here, upon uninstall, it asks you if you want to uninstall. Ste's repository doesn't at the moment.
Sign in to add a comment
How about if you remember your password and backed up the Lockbox_v1.dat file. How can you get at this data? Because, if you uninstall and then reinstall (like, say, if you restore your iphone or upgrade to a different firmware) there doesn't seem to be any way of getting at the data! I have reinstalled a fresh copy of Lockbox and then replaced the Lockbox_v1.dat file from backup and then tried to open Lockbox. It continually gives me an "Invalid Password" error.
Through much trial and tribulation, reading the source to Lockbox, SSCrypto and the OpenSSL docs, I have confirmed that the following command on any UNIX box where you have OpenSSL installed will dump your data file out in plain text (albeit very ugly, unformatted, binary-ish looking, but at least your data will be readable in between the gobbly-gook):
# openssl aes-128-cbc -d -nosalt -in Lockbox_v1.dat -k <yourpassword>
Of course, you still need to remember your password. But this may help someone trying to hack.
Not so much a lost password problem, but Lockbox just collapses back to Springboard after I've entered the correct password. I've checked the permissions are set to 755 at both Applications directory, and within var/root/library/ directory. I am on firmware1.1.1 I have also tried uninstalling , and reinstalling Lockbox 0.5 but the problem remains. Please help! thanks
here is some crude code to find Lockbox_v1.dat on raw data partiotion (if you remember you password): ftp://dimonb.selfip.net/lockdecrypt.c compile it: gcc -o lockdecrypt -O2 -lssl lockdecrypt.c and use it at your own risk.
This script could help you in situation where you have to restore you iPhone and have no backed up Lockbox_v1.dat (backup your data!!!) after restoring iphone, install ssh and bsd subsystem.. then copy user partition to your desktop (using dd + ssh). And use this tool to find encrypted data through 8 (or 16Gb) of user partition... it could take some long time.
sample: $ ./lockdecrypt -p "123" -f ~/var.img >scan.log $ cat scan.log | grep found
should printout found values
then use for each found value: $ dd if=~/var.img bs=1 count=4096 skip=<found value> | openssl aes-128-cbc -d -nosalt -k "123" you could see some decrypted data
mdotcheung, you were seeing another issue unrelated to forgetting a password. It's fixed now in 0.7.1.
dimonb and hockeysk8, thanks alot for those useful tips.
Can anybody verify that the raw openssl decryption trick from hockeysk8 still works with v0.7.1? I am getting an error1? and can't see any recognizable passwords in the dump. I hope this doesn't mean that Lockbox_v1.dat is truly corrupted beyond repair...
1? bad decrypt 14232:error:06065064:digital envelope routines:EVP_DecryptFinal_ex?:bad decrypt:evp_enc.c:461: