Return to Level1Techs.com

Android password and pattern

helpdesk
#1

I have a phone with LineageOS 14.1 (Android 7.1.2) and would want to use a password for booting the phone and ideally for unlock after a given time but besides that use pattern unlock.

The rational is that you can brute force most patterns while strong passwords are difficult.

Does anyone know if this is possible?

0 Likes

#2

you can brute force most patterns while strong passwords are difficult

use a password for booting the phone and ideally for unlock after a given time but besides that use pattern unlock

I’m not quite sure if I follow your reasoning…

In any case, how about using a reasonably long numerical PIN? 6 digits is a million combinations, not quite as strong as an alpha-numeric password but arguably better than a pattern, and I’d say it takes similar effort to enter.

1 Like

#3

6 digits takes a blink of an eye for a computer to break, 12 ascii characters takes several 100 thousand years, that’s my reasoning

obviously such an adversary is an expert, government, or some hacker group and not someone who steals your phone to sell it

https://howsecureismypassword.net/

1 Like

#4

Sure, so why do you want to use the pattern at all?

I’d start with asking myself the question of whom I am trying to protect myself from? Does an individual or group of individuals exist that would want to get my data bad enough to steal my phone and brute force the password?

If you’re just trying to protect your selfies from a thief/robber then a PIN is in my opinion a good balance between security and convenience. The device that gets stolen would be wiped and resold; I don’t imagine there being enough interest in the data of a random stranger from people engaging in such activities to bother “hacking” into my smartphone.

If you’re trying to make things inconvenient to state-level actors, then I wouldn’t recommend using the pattern at all, since the attacker can be assumed to be competent enough to have done the homework and find out about your setup (by means which include but are not limited to reading your post on this forum) and make sure they do everything in their power to decrypt the device with the “given time” before the more secure password kicks in. And then there is hundred of other ways they can “get you” that don’t involve going anywhere near your phone.

In conclusion to my rather lengthy rant, I think I get where you’re coming from but I don’t think the particular balance between security and convenience (and that’s all you can ever hope for, with regards to security) you described makes a whole lot of practical sense.

Also, to answer your actual question, I don’t think that’s possible on your device.

0 Likes

#5

No, because android protects against repeated attempts. When getting the pattern wrong five times for example it will not accept any other attempt for 30 seconds. Get it wrong again and you’ll have to wait even longer, etc.

Developers ain’t stupid :man_shrugging:

0 Likes

#6

No, because android protects against repeated attempts.

I could be wrong, but I think you can perform the brute force attack on the image of the phone, and not necessarily the phone itself. In this case you can have multiple copies of the image against which your attack is run, and as a bonus you can speed this up even further by the virtue of being able to do it in parallel.

edit: looks like what I described shouldn’t be possible since Android 5.0 - https://www.kaspersky.com/blog/full-disk-encryption-android-5/6423/

0 Likes

#7

Too add on to this, if your phone has the option you can wipe it after 10 wrong attempts and add in timeouts after 3, 5, or 7 incorrect tries preventing bruteforcing.

If a person gets the phone physically though, your gonna be SOL.

1 Like

#8

If I want to access the phone several times within an hour a long and complex password is a bit of a pain to enter.

If the phone is taken from me and the adversary wants to bypass the built in unlock they’d be expected to turn off the phone and find some hash on it and then brute force that on different hardware. Attempts to access the phone via it’s own lock mechanism will of course result in delays when incorrect attempts are made at which point pattern would switch to password or it could of course switch to password after a failed attempt. The pattern would be used for unlocking the device but never for decrypting.

In part it’s a matter of principle I suppose but it doesn’t hurt to be on the safe side. I don’t expect James Bond, Ethan Hunt or Red Sparrow to seduce me and take my phone to MI6, CIA or KGB respectively.

And mainly because you are not limited by the phones restrictions on how many attempts you are allowed before it forces you to wait.

Doesn’t matter if it’s FDE. The password you don’t store on the device (pattern, pin, password) determines the difficulty to decrypt it. Now a pattern isn’t by itself really part of any encryption standard so most likely it converts to a salted hash used as password for an AES key or similar that is stored on the device. This can be put on some security chip or other hard to get place but it is there and sooner or later the manufacturer will be taken to court over it or the Israelis will build a work around.

Nope, not if you get the keys and hashes from the device and do the brute forcing on some other hardware to find the password that you use and that is not on the device, if it’s easy decryption is easy.

Since this has moved in a broader direction there is also the possibility of attacking the device while it’s on by physically accessing the hardware, e.g. listening to some system bus but this would be extraordinarily difficult and would depend on the OS and hardware and it’s beyond my resources to consider that but quantum entangled bits that can’t be eavesdropped on would of course be nice.

0 Likes

#9

Brute forcing on-screen, no one does that really. Sure you can set a longer password or pin to keep some people out, but typically if the phone is encrypted, it’s only encrypted on shutdown, so you plug in a cable if your phone is powered on you can access everything despite what the phone says.

It’s a placebo to encrypt your phone in a sense, governmental, companies and even l33t haxors can get your stuff if they want to.

Protip: everything you don’t want to get leaked, use a seperate device you control and know how it functions.

0 Likes

#10

Philosophical debates about the accuracy of his threat modeling aside, the man asked if he could use a password and then a pattern to unlock his device.

Answer:
I believe password and pattern is possible based on the kaspersky link posted earlier. You would have to enable full disk encryption by going to settings>security>encrypt phone to set up the password and then for the pattern go to settings>security>screen lock>pattern. This would ask you for the password only at boot time (I don’t think setting a time out is possible) and then would prompt for pattern at all other times. I’ll update if I try full disk encryption on a spare phone to see if this works the way I assume it would.

Thank being said, I agree with other posters though-its very useful to determine who you are trying to protect yourself from. You can’t be protected from everyone all the time, that would require near constant research and would be entirely exhausting to do that effectively. Personally, my threat model basically only includes sneaky friends/girlfriends, thieves, average hackers and unnecessary accumulations of personal data by big companies. Interesting to research into how one would protect oneself from big governments and such but personally the convenience I would have to give up (constant research, developing/inspecting custom hardware, inspecting all open source software I install and nothing closed source) would not be worth what I would gain.

0 Likes

closed #11

Closed due to necro. See https://forum.level1techs.com/faq

0 Likes