Tuesday, June 30, 2020

Top 18 Websites to Learn How to Hack Like a Pro

  1. SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
  2. Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
  3. Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  4. HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  5. SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
  6. Makezine: Magazine that celebrates your right to tweak, hack, and bend any technology to your own will.
  7. Hack Forums: Emphasis on white hat, with categories for hacking, coding and computer security.
  8. KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
  9. Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
  10. Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
  11. Black Hat: The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.
  12. The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
  13. Phrack Magazine: Digital hacking magazine.
  14. Offensive Security Training: Developers of Kali Linux and Exploit DB, and the creators of the Metasploit Unleashed and Penetration Testing with Kali Linux course.
  15. NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
  16. DEFCON: Information about the largest annual hacker convention in the US, including past speeches, video, archives, and updates on the next upcoming show as well as links and other details.
  17. Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  18. Hackaday: A hardware hack every day.

Thursday, June 11, 2020

5 BEST HACKING BOOKS 2018

Most of the people don't go with videos and read books for learning. Book reading is a really effective way to learn and understand how things work. There are plenty of books about computers, security, penetration testing and hacking. Every book shows a different angle how things work and how to make system secure and how it can be penetrated by hackers. So, here I have gathered a few of the best hacking books of 2018 available on the market.

BEST HACKING BOOKS OF 2018

There are hundreds of books about hacking, but I have streamlined few of best hacking books of 2018.

1. THE HACKER'S PLAYBOOK PRACTICAL GUIDE TO PENETRATION

This handbook is about experting yourself with the hacking techniques in the hacker's way. This is about penetration testing that how hackers play their techniques and how we can counter them.

CONTENTS

  • Introduction
  • Pregame – The Setup
  • Setting Up a Penetration Testing Box
  • Before the Snap – Scanning the Network
  • The Drive – Exploiting Scanner Findings
  • The Throw – Manual Web Application Findings
  • The Lateral Pass – Moving Through the Network
  • The Screen – Social Engineering
  • The Onside Kick – Attacks that Require Physical Access
  • The Quarterback Sneak – Evading AV
  • Special Teams – Cracking, Exploits, Tricks
  • Post Game Analysis – Reporting
Download the Hacker's Playbook Practical Guide to Penetration.

2. ANDROID HACKER'S HANDBOOK

The Android Hacker's Handbook is about how the android devices can be hacked. Authors chose to write this book because the field of mobile security research is so "sparsely charted" with disparate and conflicted information (in the form of resources and techniques).

CONTENTS

  • Chapter 1 Looking at the Ecosystem
  • Chapter 2 Android Security Design and Architecture
  • Chapter 3 Rooting Your Device
  • Chapter 4 Reviewing Application Security
  • Chapter 5 Understanding Android's Attack Surface
  • Chapter 6 Finding Vulnerabilities with Fuzz Testing
  • Chapter 7 Debugging and Analyzing Vulnerabilities
  • Chapter 8 Exploiting User Space Software
  • Chapter 9 Return Oriented Programming
  • Chapter 10 Hacking and Attacking the Kernel
  • Chapter 11 Attacking the Radio Interface Layer
  • Chapter 12 Exploit Mitigations
  • Chapter 13 Hardware Attacks
Download Android Hacker's Handbook.

3. PENETRATION TESTING: A HANDS-ON INTRODUCTION TO HACKING

This book is an effective practical guide to penetration testing tools and techniques. How to penetrate and hack into systems. This book covers beginner level to highly advanced penetration and hacking techniques.

CONTENTS

  • Chapter 1: Setting Up Your Virtual Lab
  • Chapter 2: Using Kali Linux
  • Chapter 3: Programming
  • Chapter 4: Using the Metasploit Framework
  • Chapter 5: Information Gathering
  • Chapter 6: Finding Vulnerabilities
  • Chapter 7: Capturing Traffic
  • Chapter 8: Exploitation
  • Chapter 9: Password Attacks
  • Chapter 10: Client-Side Exploitation
  • Chapter 11: Social Engineering
  • Chapter 12: Bypassing Antivirus Applications
  • Chapter 13: Post Exploitation
  • Chapter 14: Web Application Testing
  • Chapter 15: Wireless Attacks
  • Chapter 16: A Stack-Based Buffer Overflow in Linux
  • Chapter 17: A Stack-Based Buffer Overflow in Windows
  • Chapter 18: Structured Exception Handler Overwrites
  • Chapter 19: Fuzzing, Porting Exploits, and Metasploit Modules
  • Chapter 20: Using the Smartphone Pentesting Framework
Download Penetration Testing: A Hands-On Introduction To Hacking.

4. THE SHELLCODER'S HANDBOOK

This book is about learning shellcode's of the OS and how OS can be exploited. This book is all about discovering and exploiting security holes in devices to take over.
Authors: Chris Anley, John Heasman, Felix "FX" Linder, Gerardo Richarte.

CONTENTS

  • Stack Overflows
  • Shellcode
  • Introduction to Format String Bugs
  • Windows Shellcode
  • Windows Overflows
  • Overcoming Filters
  • Introduction to Solaris Exploitation
  • OS X Shellcode
  • Cisco IOS Exploitation
  • Protection Mechanisms
  • Establishing a Working Environment
  • Fault Injection
  • The Art of Fuzzing
  • Beyond Recognition: A Real Vulnerability versus a Bug
  • Instrumented Investigation: A Manual Approach
  • Tracing for Vulnerabilities
  • Binary Auditing: Hacking Closed Source Software
  • Alternative Payload Strategies
  • Writing Exploits that Work in the Wild
  • Attacking Database Software
  • Unix Kernel Overflows
  • Exploiting Unix Kernel Vulnerabilities
  • Hacking the Windows Kernel
Download The ShellCoder's HandBook.

5. THE HACKER'S HANDBOOK WEB APPLICATION SECURITY FLAWS

This handbook is about finding and exploiting the web applications.
Authors: Dafydd Stuttard, Marcus Pinto.

CONTENTS

  • Chapter 1 Web Application (In)security
  • Chapter 2 Core Defense Mechanisms
  • Chapter 3 Web Application Technologies
  • Chapter 4 Mapping the Application
  • Chapter 5 Bypassing Client-Side Controls
  • Chapter 6 Attacking Authentication
  • Chapter 7 Attacking Session Management
  • Chapter 8 Attacking Access Controls
  • Chapter 9 Attacking Data Stores
  • Chapter 10 Attacking Back-End Components
  • Chapter 11 Attacking Application Logic
  • Chapter 12 Attacking Users: Cross-Site Scripting
  • Chapter 13 Attacking Users: Other Techniques
  • Chapter 14 Automating Customized Attacks
  • Chapter 15 Exploiting Information Disclosure
  • Chapter 16 Attacking Native Compiled Applications
  • Chapter 17 Attacking Application Architecture
  • Chapter 18 Attacking the Application Server
  • Chapter 19 Finding Vulnerabilities in Source Code
  • Chapter 20 A Web Application Hacker's Toolkit
  • Chapter 21 A Web Application Hacker's Methodology
So, these are the top 5 best hacking books on the market. There may be more fascinating books in the future that make take place in the top list. But for now, these are the best hacking books. Read and share your experience with these books.
Related word
  1. Pentest Basics
  2. Pentest Cheat Sheet
  3. Pentest Firewall
  4. Pentest Active Directory
  5. Hacker Lab
  6. Hacker Kevin Mitnick
  7. Pentest With Metasploit
  8. Hacking Software
  9. Hacker Prank
  10. Pentest+ Vs Ceh
  11. Pentestlab
  12. Pentest Uk
  13. Pentest Framework
  14. Pentest Hardware
  15. Hacking Script
  16. Hacking Simulator
  17. Hacker Anonymous

Ophcrack


" Ophcrack is an open source (GPL license) program that cracks Windows LM hashes using rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. There is also a Live CD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. These tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. Larger rainbow tables (for LM hashes of passwords with all printable characters, including symbols and space) are available for purchase from Objectif Securité. Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default on Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored)." read more...

Website: http://ophcrack.sourceforge.net

Related posts


  1. Pentest Tools Free
  2. Pentest Checklist
  3. Pentest Aws
  4. Hacking 3Ds
  5. Pentest Android App
  6. Pentest Distro
  7. Hacker Computer
  8. Pentest News
  9. Hacking Linux
  10. Hacker Website
  11. Pentest Tools Framework
  12. Hacking Growth
  13. Pentest Security
  14. Hacking
  15. Pentest Ftp
  16. Pentesting
  17. Pentest Environment
  18. Pentest Dns Server
  19. Pentest Box
  20. Hacking Games Online

Wednesday, June 10, 2020

Cuando Un Bypass De UAC En Windows Es Un "Bug" O Una "Feature"

El artículo de hoy lo escribo por algunas razones, las cuales comentaré en breve. El punto para reflexionar es: ¿Qué es un bypass de UAC? Para muchos una técnica desprestigiada en un Ethical Hacking, para otros una vía a tener en cuenta en la obtención de privilegios o la obtención de una shell en un nivel de integridad alto de Windows.  Puedo equivocarme en lo que comente en este artículo o puede que tengas otra visión, pero vamos a ir viendo y matizando ciertos aspectos que cubren a esta técnica. 

Figura 1: Cuando un Bypass de UAC en Windows es un "Bug" o una "Feature"

Lo primero, y seguramente más importante, ¿Es una vulnerabilidad? Para Microsoft no es una vulnerabilidad, es una opción de configuración. Y, técnicamente, es cierto. Es decir, si cambias la configuración por defecto del UAC, la inmensa mayoría de los bypasses conocidos dejan de funcionar. El mecanismo de UAC funciona, solo que depende de su configuración


Por supuesto, si lo que quieres es aplicar Máxima Seguridad a tu Windows, esto es algo que se aplica en primer paso. Es decir, quitar la configuración por defecto y aplicar la que exige a todos los binarios la confirmación UAC, y no permite el autoelevado. Vamos un poco más allá para entenderlo. ¿Cómo nos protegemos de los bypasses de UAC? Vamos primero a ver la GPO, para lo que buscamos: 

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode

Ahí encontraremos uno de los motivos por los que los bypasses de UAC funcionan. Como se puede ver en la imagen, se pedirá consentimiento, por parte del UAC, solo a los procesos que no sean binarios de Windows. Realmente, hay un mayor detalle en esto que comentaré a continuación.

Figura 3: Política para UAC para los binarios que no son de Windows

Aparte de ser un "binario de Windows", que esto no es más que se encuentre firmado por Microsoft, éste debe ser además un binario con una directiva en el Manifest con "Auto-Elevate"  con valor "True". Es decir, le están diciendo al sistema que el binario, aparte de estar firmado por Microsoft, éste tiene una especie de "carnet especial" o "pase especial" y que no debe rendir cuentas al UAC

Por último, otra de las comprobaciones que hace el sistema es que el binario se esté ejecutando en una ruta "privilegiada", por ejemplo, System32. Si recordamos el bypass de UAC de Mocking Directory Trusted, gracias a un fallo de interpretación de una de las APIs internas del sistema se podía "saltar" esta protección.

Figura 4: Libro de Hacking Windows

Desde el punto de vista del pentesting tenemos que tener en cuenta algunas cosas también. Lo que parece más lógico, pero que a veces la gente puede no entender bien es que, para pasar a un nivel de integridad alto, debes de estar en otro nivel de integridad, inferior se entiende. 

En el caso de un bypass de UAC debes partir desde un nivel de integridad medio. Por esta razón, el módulo de Metasploit, cuando se hace cualquier bypass de UAC de forma automática, nos muestra los diferentes chequeos, entre ellos el nivel de integridad actual.

Figura 5: ByPass de UAC en Metasploit

Como se puede observar, una de las cosas que se chequean es el nivel de integridad. Si estuviéramos en un nivel de integridad alto y no nos hubiéramos dado cuenta, sería una cosa muy extraña, porque demostraríamos no tener el control de lo que hacemos, pues ya estaríamos "elevados", por lo que no tendría sentido realizar esta operación. Puede que nuestro proceso no se encuentre en un nivel de integridad medio y estemos más abajo, tendremos problemas también. Debemos entender por qué estamos y debemos estar en este nivel de integridad.

Esto va relacionado con el tipo de usuario que debemos ser. Solo podemos ser un usuario que forme parte del grupo administradores, pero que no esté ejecutando el proceso como administrador. Esto es importante. Es otra cosa que a veces no queda clara. 


Necesitamos que un usuario que tiene privilegios para realizar acciones como administrador, haya ejecutado un proceso y que no haya hecho uso de dichos privilegios para, una vez comprometido su proceso, podamos aprovechar este hecho y hacer el bypass de UAC. Puede ser lioso, pero es lógico. Si el usuario hubiera lanzado el proceso como administrador, el nivel de integridad ya sería alto, no medio.

Como se veía en la imagen anterior, el módulo de Metasploit comprueba si el usuario al que pertenece el proceso comprometido es o no es del grupo administradores. Si no es del grupo administradores, ¿Qué ocurre? Es sencillo, la política de comportamiento del UAC asociada es diferente. Tal y como se puede ver en la imagen, la acción por defecto para un usuario que no pertenece al grupo administradores es que el UAC pida credenciales.

Figura 7: Selección de opción de pedir credenciales

Windows Vista, en el comienzo de la historia del UAC, utilizaba un comportamiento más estricto, pedía confirmación ( o No) para los administradores, independientemente de si el binario estuviera o no firmado por Microsoft o si tenía o no Auto-Elevate

Figura 8: Configuraciones de los Modos UAC en Windows 7

¿Era más seguro? A priori, y basándonos en este artículo, sí. Pero las quejas llegaron. Los usuarios no estaban preparados para ello y se rebajaron algunas configuraciones. Esto fue en Windows 7, si no recuerdo mal, que puedo recordarlo mal.

Y un bypass de UAC entonces, ¿dónde tiene sentido?

Yo siempre digo en las clases o en los cursos/talleres que un bypass de UAC se enseña en local, pero su aplicación tiene sentido en remoto. Es decir, por motivos de divulgación y educación se puede enseñar en local todo el proceso de lo que ocurre, no solo quedaros con se lanza un módulo de Metasploit y listo, eso es la automatización y está bien, una vez que se conoce qué ocurre por detrás. 

Miramos con ProcMon y Proccess Explorer lo que ocurre, se estudian diferentes técnicas: Environment Injection, DLL Hijacking, Fileless… O jugamos con nuestro querido UAC-A-Mola y vemos qué cosas se pueden hacer.


Figura 9: UAC-a-Mola: Bypassing UAC using Fileless techniques

Pero a la hora de poner en práctica o de utilizar en un Ethical Hacking solo tiene sentido en remoto, porque si tienes un usuario que cumple los requisitos del bypass de UAC y tienes acceso físico te vale ejecutar:

 "botón derecho -> Ejecutar como administrador" 

Bien, pero ¿cómo hacemos eso en remoto? Es complejo. Vamos a tener una shell remota con la que podemos ver fácilmente si tenemos la posibilidad de utilizar técnicas de bypass de UAC y si estamos en ese caso, ¿cómo se aplican? ¿Ejecutas botón derecho -> admin? No. No puedes. Aquí es dónde tiene todo el sentido del mundo las técnicas de bypass de UAC.

Desde una shell invocarás a un binario que cumple las tres necesidades comentadas anteriormente, previamente habrás preparado el camino para que la ejecución de dicho binario desemboque en que el nuevo proceso haga uso de tu código, y como ese proceso se estará ejecutando en un nivel de integridad alto, tu código también se ejecutará en el mismo nivel de integridad.

Ahí tenemos el bypass, porque gracias a las características del binario, el UAC dejará ejecutarlo. Y en esto se resume. Hemos hablado mucho en este blog sobre diferentes bypasses de UAC, cómo han ido evolucionando las técnicas, cómo a veces se simplificaban y ahí están los artículos

Para mí: ¿Qué no es un bypass de UAC?

Si desde la GUI de cualquier binario se puede ejecutar código, pero no se puede hacer a través de una consola, para mí no es un bypass de UAC efectivo. Puede que, técnicamente se haga un bypass de UAC, porque evitemos que se ejecute el UAC y se ejecute un código nuestro. ¿Nos aporta algo más que darle al botón derecho -> "ejecutar como administrador"? Eso es lo que nos tenemos que preguntar, es decir, ¿podremos utilizarlo?

Aquí tenemos una bifurcación: bypass de UAC efectivo para el pentesting o bypass de UAC que prueba un concepto, pero no es efectivo para el pentesting. Como ejemplo podemos utilizar algunos ejemplos con interfaces gráficas.

Técnicamente, lo que veremos ahora consigue hacer que un CMD se ejecute y no salte el UAC. Sabemos que cuando se intenta ejecutar una CMD con privilegio, el UAC saltará para confirmación del usuario o petición de credenciales en el caso de un usuario que no sea del grupo administradores. Tenemos que pensar, ¿se puede usar en un pentest? Eso es más complejo.  Lo primero es utilizar un binario de los que sabemos que ejecutan en un nivel de integridad alto sin que el UAC salte, por ejemplo, el eventvwr.exe en Windows 10.

Figura 10: EventViewer tiene Auto-Elevate True

Desde aquí, todo lo que sea código que se ejecute heredará el nivel de integridad alto, por lo que podemos ir al menú "Help". La opción "Help Topics" nos muestra la ayuda del visor de eventos. Pinchando con el botón derecho en la parte donde se muestra el texto se puede ver una opción que es "View Source".

Figura 11: View Source

Al ejecutar "View Source" se ve un bloc de notas con un texto. Claro, si analizamos el bloc de notas con Proccess Explorer podremos ver que el notepad.exe se ejecuta en un nivel de integridad alto. Aquí ya tenemos lo que buscamos, si abrimos un cuadro de diálogo tenemos la posibilidad de ejecutar lo que se quiera.

Figura 12: notepad.exe con nivel de integridad alto

Abrimos el cuadro de diálogo y buscamos en System32 el binario del CMD. En vez de abrirlo sobre el notepad.exe, botón derecho y abrir el cmd.exe. Ahí lo tenemos. ¿Podríamos haberlo hecho a través de una shell? Si encontramos la forma de hacer que todo esto se pueda hacer desde una línea de comandos, tendríamos, desde mi opinión, un bypass de UCA efectivo, si no, simplemente hemos demostrado o enseñado que hay código que puede ser ejecutado sin que el UAC salte, pero no termina de ser efectivo en un pentesting o en un Ethical Hacking.

Figura 13: CMD.exe elevado sin UAC

En la siguiente imagen de Process Explorer se puede ver el nivel de integridad y cómo desde el mmc.exe (abierto con eventvwr.exe directamente) sin que el UAC salte, porque es un binario que cumple las condiciones comentadas anteriormente, se van abriendo diferentes procesos hasta llegar a una cmd.exe.

Figura 14: Nivel de Integridad "High"

Vale, pero, ¿es efectivo? Cuando se lee bypass de UAC, una de las cosas que debemos valorar es efectivo o no. Generalmente, cuando hablamos de bypass de UAC entendemos que es una vía por la que se obtiene privilegios saltándonos el UAC y nunca a través de algo gráfico, porque no habría diferencia con "botón derecho -> ejecutar como admin". El debate está servido. Tú decides.

Saludos,

Autor: Pablo González Pérez (@pablogonzalezpe), escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root",  "Pentesting con Powershell" y de "Empire: Hacking Avanzado en el Red Team", Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de la unidad CDCO de Telefónica.  Para consultas puedes usar el Buzón Público para contactar con Pablo González

Figura 15: Contactar con Pablo González

Related word
  1. Pentest Standard
  2. Hacker Videos
  3. Pentestbox
  4. Hacking Software
  5. Pentest Dns Server
  6. Pentest Network
  7. Pentest Stages
  8. Pentestlab

How To Unlock Forgot Pattern Password In Android Phone

We've all been there. You accidentally enter the wrong password into your phone too many times, and suddenly, you're locked out of the device for good. Maybe your kid or a friend of yours took your phone and, as a joke or an accident, entered the wrong code one too many times. Maybe it's your secondary phone and it's been sitting in a drawer for a couple months and now you need it – but you forgot the code. With photos of our friends and family, our entire music collection, and our contacts library saved on our devices, one can't just be expected to hard reset the phone if something goes wrong with the passcode on the device.

Being locked out of our phones feels a lot like being locked out of our entire life. That said, you don't have to worry about trying to find a way out from phone purgatory. If you've accidentally triggered a permanent lockout of your phone, or you're not quite there yet but you know you've forgotten the password, you might feel the need to start panicking. Maybe you haven't forgotten the code to your phone, but you're looking for a smarter way to unlock the device when you're using it day-to-day. If you're curious about how phone unlocks work, whether trying to get into your locked device or just trying to make sure you don't accidentally lock yourself out, you've come to the right guide. With any luck, we'll be able to get you back into your phone without losing an ounce of data. And for those users who haven't lost their passcodes but are simply trying to use their phones in a smarter, more secure way, we have some tips for you too. This is how to unlock your Android phone.



Forgotten Passcodes

You've picked up your phone to check your text messages or your email, only to realize that something is wrong with your passcode. Despite knowing that you've set the password to be, let's say, your first child's birthday, nothing seems to be working. Your phone continues to tell you the password is wrong, but you've checked the spelling three times. Finally, your phone alerts you that you've been locked out of the device for the time being. What to do when you need your phone to pay for groceries, call an Uber, or check Instagram while waiting in line at the bank. If you've forgotten your passcode, you aren't completely out of luck just yet.

Try Variations on Your Passcode

Are you entirely sure you aren't misremembering your password? The first piece of advice we would give you is to ensure your passcode isn't being mixed up, or that you aren't forgetting a key piece of your passcode that happens to come at the end of the phrase. Plenty of us often forget about little tweaks to passwords we've added in order to ensure that our devices are as secure as possible. Here are some tips to making sure you're remembering every piece of your passcode:

  • Capital letters: If you're using a passcode phrase, you might've forgotten to add in any capital letters to your text. Make sure you remember to place the capital letters correctly as well; we've all forgotten the correct word or letter to capitalize in passcodes like this.
  • Numbers: Sometimes you forget about the number you added on your passcode a couple days ago. If your passphrase spells out "WaterInJuly382," you'll want to make sure you remember to enter the "382" part of the password. Don't be surprised if you accidentally forget to add the numbers onto your passcode. It happens to the best of us.
  • Special characters: Just like the capital letters, sometimes we add special characters into our passcodes to make them as complex as possible, only to forget the characters just hours later. Think back to decide whether you added an exclamation point, a dollar sign, or any other special character to your code in order to protect your data. It might make the difference between a lost passcode and saving your data.

Find My Mobile (Samsung Devices Only)

Are you using a Galaxy S9 or a Galaxy Note 8? You might be in luck: Samsung's own Find My Mobile tool features an additional feature not offered by Google's own Find My Device tool. Find My Mobile is similar to Find My Device or Find My Phone on iOS, but developed by Samsung specifically for their devices. For the most part, it does the same stuff you'd expect: Find My Mobile can locate your phone using GPS, make the device ring when you lose it in your couch cushions, and can even backup your data remotely using the web app offered by Samsung. More importantly, however, is the app's ability to unlock your device from your computer even if you've forgotten the passcode for the device.

There's a catch: if you haven't set up your Samsung account on your Galaxy S-device, you won't be able to do this. Like most of Samsung's tools, you need a Samsung account to log into the site and to unlock your device. Assuming you have set up your Samsung account—and haven't forgotten the passcode to that account—you should be able to unlock your device using the Find My Mobile web app here. All you need to do is sign in with your Samsung account, select the option to remotely unlock your device, and you'll be all set to go.

It's important to note that unlocking your device remotely does clear the biometric data off your device, so any fingerprints or iris scans you have saved on your device will have to be added back to your phone – small price to pay for saving your device's data in the long run.

As we mentioned, Google has a similar utility for all Android phones called "Find My Device," which only features the option to lock your device, not unlock it. If you've forgotten your passcode, all Find My Device will do is locate the device by GPS, re-lock the screen, and erase data; it won't be able to unlock the screen from the cloud.

Last Resort: Resetting Your Device

Unfortunately, thanks to the security enhancements added to Android 5.0 and above, most modern devices that aren't made by Samsung will have to be reset in order to bypass the password. Yes, this means you'll need to set your phone up again from scratch, re-downloading apps, music, and any other content you have saved on your mobile device. Being locked out of your device makes it difficult to back up any content on your phone, but if you already have some backup methods put in place, you can trigger them by plugging your phone. Both Google Drive backups (Pixel only) and Google Photos backups are often triggered by plugging your phone into a charger, so making sure your device is plugged in is ideal for guaranteeing that your software is saved. We recommend waiting until morning to reset your device if you're locked out; plenty of these backups happen overnight, including most SMS backups if you have an SMS backup app installed and running on your device.

Because you can't access the settings menu to factory reset your phone, you'll need to either use the hardware buttons on your phone to trigger a reset or use Google's Find My Device page in a web browser to reset the phone. Here's how to do each step:

If you're using Google's Find My Device page, load the URL here, sign into your Gmail account, and make sure your phone is selected. On the right side of the display, you'll see a Google Maps layout with a display showing the current location of your phone. On the left side of the display, you'll see a tab with three options: Play Sound, Lock, and Erase. Hit the Erase option to automatically trigger a device reset. Remember that your phone has to be powered on and connected to the internet in order to use this method.

Now, if you don't have access to the phone and can't use Find My Device to restore the phone over the web, you'll need to rely on the second method. To manually erase the device and reset the phone, you'll need to use the hardware buttons to load into your device's recovery system. This is accomplished a little differently on every phone, so your best option is to search for your phone model on Google with the keywords "boot into recovery." Some devices, like Samsung's lineup of phones, are fairly easy to boot into recovery with; you turn off the phone and press and hold a specific button combination to boot into recovery. Other phones, like Google's Pixel 2 XL, are much more finicky, requiring you to press and hold on one key and press and release another at the right time in order to boot into recovery. There are so many various methods for each Android phone, it's basically a requirement to search for the correct method for your phone to do this.

Once you've booted into recovery mode, use your device's volume up and volume down buttons to scroll through the list until you reach "Wipe Data/Factory Reset." Use the power button to select this option, then confirm your selection on the next display. Your phone will begin to reset; make sure the phone is charged enough to ensure it can last at least 30 minutes without dying. Once your phone has rebooted back to the menu screen, you can set up your device by logging back into the Google account you use for your phone. It is vitally important you use the same Google account you used on your phone prior to resetting. Android has a built-in security protocol known as Factory Reset Protection that requires a recently-reset phone to have the same Google account as previously used on the device in order to prevent a thief from immediately using the stolen phone. If you don't have the password for your Google account, you can reset it, but that means you won't be able to log into your phone for 24 hours after the reset.

Backup + Factory Reset

Probably the best combination of things to do does require you plan ahead, and set up a backup of your phone's data to the Google Cloud. This way, even if you have to reset the phone for whatever reason, a reasonably current set of your phone's data will be available, intact, and ready to get your phone back into action. I will walk you through how to set this up. You will need a Google account for this.

To set up backup, follow these steps.

  1. Go to Settings on your phone.
  2. Select System->Backup.
  3. Select Google backup.
  4. Select "Backup Now"

Your phone will now copy the critical data to your Google account.

Restoring from backup is simple. After you reset your phone and attach your Google account to the phone again, it will automatically restore your data from backup. Running a backup takes only a few minutes on a WiFi connection, or even less if you keep your phone regularly backed up – get into the habit of setting off a backup every night when you go to bed and you will always have a near-realtime backup of your phone.

(Want to backup more than just your phone? You can with one of these speedy 4-TB portable hard drives from Toshiba. You can back up all the computers in your household, and still have room for a thousand movies.)

Unlocking Your Phone with Speed

If you aren't having trouble getting into your phone, but you want to make sure your phone is secure while simultaneously unlocking your phone with some serious speed in order to make your day easier, we have some advice. There are plenty of options for unlocking your device, and they all help to make unlocking your phone easier and to prevent a situation where you forget the code for your phone.

Smart Lock

Smart Lock is one of our favorite tools on Android that is unavailable on other platforms. It makes it easy to make sure your phone is always secure, while simultaneously working to stay out of your way when you want access to your device. Basically, Smart Lock offers Android users several ways to unlock their phones when they're using it, while keeping it locked when it's not near them. To turn on smart lock, you'll need to open up your settings menu on your Android device and head into the Security submenu. Under "Device Security," you'll find an option for Smart Lock. Type in your passcode or password to enter Smart Lock, and you'll be greeted with (as of writing) five unique options for unlocking your phone. Let's break each of these down:

  • On-body detection: This setting allows you to unlock your device once before disabling the lock for as long as the phone is in your hand or on your person. Using your smartphone's array of sensors, the device tracks when your device is in use, so you can turn the display off but keep the phone unlocked while it's in your hand. When your phone realizes that it's been set down, your phone will automatically re-lock, requiring a password. This isn't the most secure method Smart Lock offers, but it is pretty cool.

  • Trusted places: Sure, it's one thing to keep your phone locked when you're out on the town, but what about when you're sitting in your apartment watching Netflix and you just want to be able to use your phone without constantly worrying about your password? Trusted places works to use the GPS in your phone to detect that you're in a secure location of your choosing, and automatically keeps your phone unlocked for you. As soon as you leave your location, your phone relocks, keeping things safe and secure for you and your device.

  • Trusted devices: This might be the best of the five Smart Lock options, because it's ideal for keeping your devices safe when you're nearby and keeping your phone locked when you've left. Do you own a smartwatch, a fitness tracker, a set of wireless headphones, or any other device that syncs over Bluetooth? Trusted devices might be the option for you, allowing you to keep your phone unlocked when your phone is paired with your gadgets. Smartwatches and fitness trackers are ideal for this, but it also helps you keep your phone unlocked when driving in your Bluetooth-equipped car, when running with Bluetooth headphones, or when paired with a set of Bluetooth speakers.

  • Trusted face: Plenty of phones have had a face unlock feature, though none of them are quite as secure as the FaceID method on the iPhone X. Still, if you want, you can enable Trusted Face on your device in order to allow your camera to automatically unlock your phone when it recognizes you. However, Trusted Faces is much more easily fooled than the above methods, especially since a photo of you—or even a lookalike—could unlock your phone without having to use any security. Use this one with caution.

  • Voice Match: Voice Match is a bit different than the other options on this list, because largely speaking, it's used to activate Google Assistant more than unlock your device. Here's the deal: turning on Voice Match allows you to access your Google Assistant every time you say "OK Google," even while the screen is off. Once you've enabled that ption, you have a second choice: "Unlock with Voice Match," which allows you to automatically unlock your phone when the sound of your voice saying "OK Google" matches the saved voice model on your device.

You can enable just one or all five of these, so don't worry if you like the idea of Trusted Devices but don't want to use On-Body Detection. If Smart Lock makes you feel like you can't properly keep your smartphone secured while enabling these settings, you don't need to worry. Every Android smartphone with Smart Lock enabled has the ability to lock the device manually, requiring a passcode or fingerprint in order to use the device properly. At the bottom of your lock screen is a small lock icon that allows you the choice of manually locking your phone. How you use it is actually a little different depending on your device; for example, Samsung devices have you press the icon to lock the app, but the Pixel phones have you press and hold the icon.

Once you've done this, your phone will give you a small notification alerting you that your device has been manually locked, and that the device will stay locked until you're ready to manually unlock with either your fingerprint (if you've turned this on) or your passcode. Manually locking your phone disables all smart locks, so even if you turn on a trusted Bluetooth device, you'll have to either input your passcode or password, or use your fingerprint to unlock the device if you have biometric security enabled. We'll talk more about fingerprints in the section below, and more specifically, how you can keep your biometric data from being used against you on upcoming versions of Android.

Smart Lock is one of those features that seems like a no-brainer, since it's so damn easy to setup and use to your benefit. That said, using Smart Lock obviously raises security concerns overall, since it does keep your phone unlocked more often. You'll want to play around with Smart Lock to find the right combination of security and ease of use for you. Maybe that means unlocking the device when it's attached to your car's Bluetooth and when you're at home, but keeping it secured at work and leaving on-body detection disabled. Whatever the right combination is for you will likely be a personal decision, but with five different modes of Smart Lock available, you have plenty of options and combinations to choose from.

Fingerprints

Almost every Android device in 2018 has a fingerprint sensor equipped on the body of the device, allowing you to easily access your content without having to go through the hassle of entering your passcode every time you use your phone. Fingerprints aren't a perfect unlocking method, but they're fast, secure, and can be equipped with up to four fingerprint entries on most phones. If you aren't using the fingerprint sensor on your device, you should enable it if only to create a backup option. Even if you prefer to unlock your phone by using an unlock method like a PIN, pattern, or password, fingerprints are perfect if you're ever in danger of accidentally locking the device without knowing the proper password.

If you aren't one to use fingerprints to unlock your phone, one step you could take to ensure you never forget your passcode is set the fingerprint on your phone to unlock with a finger that isn't your thumb or index finger. For example, try using your pinky finger or your ring finger as a way to program a fingerprint without making it obvious. You'll always have the option to use your fingerprint as a backup if you forget your code, but otherwise, you'll be good to go when it comes to always having a way to unlock your phone. You could also try using the fingerprint of someone you intensely trust, like a partner or a child, if only to keep a backup that doesn't happen to be with you all the time. This is especially good if you're worried about being forced to unlock your phone by law enforcement, a pressing matter that is becoming more prevalent all the time.

Finally, if you're still worried about logging your fingerprints on your Android device due to security concerns, the upcoming release of Android P has a security feature built-in that allows you to quickly disable fingerprint scanning if you find yourself at risk of being forced to unlock your device. Called "lockdown" in the settings menu, the option allows you to immediately disable both fingerprints and Smart Lock, just by using the option that appears within the power menu on the lock screen. It only disables those features for one lock, but if you're in a place where you're worried your biometric or smartwatch lock features might be used against you, it's a great option to feel more secure.

Notes and Reminders

If you're the type of person who likes to use a complex password on their phone and balks at the idea of using any of the smart unlock features we highlighted above, you might want to consider using the lock screen text display as a way to leave yourself helpful notes and tips to make remembering your password that much easier. Every Android device on the market today has support for placing a message on the lock screen, and you can display some pretty long messages. While most people use this as a way to label their phone (the example in Android is "Joe's Android"), you can also use it to set what amounts to old password hints from Windows and other desktop operating systems.

So, for example, if you've set your password as the name and birthdate of your daughter (ie., "elizabeth1217"), you could set the reminder on your lock screen as "ebbirth", for "elizabeth1217." This can be done for any password, even if it's a random phrase. "Candy90erring60Blinders," for example, could be hinted at on your lock screen with "Reese's, Jewelry, Sunlight." You'll still have to work to remember the numbers and the correct words that match up with the other content, but it can go a long way in helping you to remember what your password is without giving it away. Again, this is totally optional, a way for users to remember their long passwords without having to deal with giving it away or writing it down.

Password Managers

This final tip is for those among us who have a reputation for forgetting passwords and passcodes. If you're always worried about losing your password to your phone and getting locked out, you might want to try using a password manager like Lastpass or 1Password, which allows you to save all your passwords in one place with a single unlock, typically requiring a fairly long phrase in order to gain access to your passcodes. We recommend Lastpass for password manager beginners, because it's free and works with all your devices out of the box. We recommend writing the passcode down somewhere safe and secure in your house, then saving your phone's password inside of Lastpass for safekeeping. It might seem like an odd choice, and certainly won't speed up the unlocking process if you do manage to forget your password, but it's always good to have a backup unlock method to keep your phone's data safe.

***

Losing access to your phone is a nightmare. It's where all of your personal data, from bank account information to photos of your family and friends, lives and is kept safe. Being locked out of your data can feel like the end of the world, but luckily, it doesn't have to be. Whether you're worried about locking yourself of your account, or you've recently updated your phone's password and want to make sure you don't lose it, there are plenty of options to ensure you don't lose access. And even if you have, you aren't completely out of luck, thanks to the various options that exist for getting back into your account.

If you're looking for a way to unlock your phone faster, there's all sorts of opportunities to make sure your Android device is ready for you to login without having to enter your password every time. Biometric security has become fairly commonplace in the mobile arena, and likewise, Smart Lock on Android has made it easy to keep your device secure when it needs to be and unlocked when it doesn't. Overall, the security options on Android have become so plentiful that there's no reason not to keep some kind of security on your Android device. Just make sure you remember the password before you save the account information.

@EVERYTHING NT

Related news