How to use an old password on Google or GMail to get your lost Android phone back. (Updated Script 11/18/2014)
I’ve come to really enjoy going to live soccer games, and late in July my wife got us some great seats to FC Dallas versus the LA Galaxy! We had a great time. We had a designated driver so sampled various micro-brews and cheered for Dallas. They lost but we had a wonderful time.
Because of the gusto with which we sampled the various brews, I never noticed I had lost my phone until the next morning as we prepared to go out of town. I was convinced I had left my phone in our friends car, so we left for several days. They couldn’t find my phone in their car so immediately began resetting my passwords, starting with Google.
If you’ve lost your phone and didn’t have any tracking software on it, you may be aware of tools like Plan B or AndroidLost. After my last factory reset, I forgot to put tracking software back on my phone or even set a lock.
And thus, in my effort to secure my identity and accounts, I had locked myself out of my phone. With a new Google password, I couldn’t go to Google Play and push Plan B or anything to my phone. And Google doesn’t allow you to use old passwords, so I couldn’t set it back.
Sorry, but this would not do. And so – here’s the story of how I reset my Google password back to an old password, found my phone, and got it back.
Before you lose your phone, install tracking software. Period. I used AndroidLost. Install it, enable Admin Rights. Scan the QR code you see to get started.
Then, I would encourage you to donate a few bucks to the team that wrote it. You don’t have to, but if you use it to get your phone back, you will anyway. Donating ahead of time will make the software better.
Then go to AndroidLost.com, login with your Google account, and check it out.
You’ll thank me, and AndroidLost, if you have to use this software. AndroidLost doesn’t poll a server but like many other solutions it is managed via SMS and so battery drain and data usage should be minimal. Also, check out Lookout software’s Plan B. It, too, can be a lifesaver.
Learn from my mistake. Lesson 1 – install recovery software before you lose your phone.
Dang, I didn’t follow my own Lesson 1, so Lesson 2:
Mine was almost a worst case scenario. I had no security on my phone and have several ancillary accounts are associated with my Google account. My first reaction was to change my password. Which is good until you try and change it back to your old one. Via Google Play, you can install apps like AndroidLost and Plan B to your phone. There’s catch, though, in that you can only do this if its login is still valid or you haven’t changed your Google password. I’d done the later, so my phone was somewhere with no tracking software, no passcode, and no way for me to touch it.
A quick search showed a LOT of people unhappy that Google won’t allow password reuse. More digging uncovered references to 100 remembered passwords. The general consensus in the support forums is “Too bad for you, you should have known better. Better luck next time!” The IT pro in me knows that this is the right approach. It’s just better and more secure that way.
I can’t reuse my old Google password until I change my password 100 more times? Challenge accepted, like a boss.
It’s funny how you go back to the basics when the SHTF. In this case, I retreated to a tools I had used in various capacities for years. VBScript and the spectacular windows automation tool AutoIT. For reference, the editor I use for VBScript is VBSEdit. There are many other editors, but this one is mine. It builds scripts into executables, too.
So, if you’re going to use this you have to install AutoIT. Install it all, including the COM objects. Next, you might be on a 64bit machine and running VBScripts on 64bit machines vs 32bit machines can be kludgy. Start by clicking here if you have issues. Lastly, I use Chrome. It’s really moot, but this script is written to use Chrome.
I make no guarantees that this script will work for you. Use this script at your own risk. If you do not feel comfortable with solving any of the issues I reference here, DO NOT USE THIS. Don’t download it, don’t run it, don’t do anything with it. You could lock yourself out of your Google account. If you are crazy enough to try this, make SURE you have recovery options setup for your Google account and that you can use them.
That being said, here’s the script. Read the comments carefully. Close everything else before running it. Do not touch your computer or move your mouse or click on any windows while this is running. The reason being is this is automating windows and sending keystrokes to the active window (in this case, Chrome). It takes a while to run, so give it time. Run the script from a prompt so when it terminates the output is still visible. I strongly recommend this in case of any problems.
Updated to version 1.8 – see script comments for details – Script is also available on GitHub here.
If you understand the risks, check this box to see the script:
Basically – the script opens Chrome, logs in as you, and begins to change your password 99 times. It logs in, changes your password, logs out, and repeats. It adds numbers to the end of your current password. After that, it resets the password a final time to the old password.
I created a test Google account to make sure the script ran as I wanted before doing this on my real account. I recommend doing this so you’ll know what to expect. Don’t forget to setup your recovery options on your test account. A handy thing about this is the test account can be the recovery account for your primary account.
One more thing, this script outputs the password is setting the account to. If it is interrupted for any reason you can examine the output to determine what the current password on the account is. You should use the recovery option, but if you are like me and can get into Ready, Fire, Aim mode – check the output for the current password. You can then edit the script, and start it over.
Lesson 2 is where there’s a will, there’s a way; especially if the will stems from paranoia and OCD. Oh, and that yes, it is true: if you change your password 100 times Google will forget your old password and let you use it again.
Ok, so your Google password is the same password that your account is set to on your Android phone. I’m writing this in August of 2012. If you are from the future and play has changed, you’ll have to figure it out how to remotely install apps. None of this will take effect until the Phone is on. See Afterthoughts on this, but remember when the phone connects uninstalls will take place but not installs. I had told Play to install PlanB and AndroidLost and when the phone finally came online the apps did not install. This is an important thing to remember.
Go directly to http://play.google.com and login.
Go to “My Android Apps”.
Pick your lost phone.
Verify what is on it. You might want to remove apps that have personal data or information in them. If you use a 3rd party browser and cache passwords, for example. Or the Facebook and Twitter apps. Or maybe the Gmail app.
Next, Search for AndroidLost.
Hopefully, it is compatible with your device. Next to Send To… select your wayward Android device. Click Install.
Next, search for PlanB. Repeat the process and install PlanB.
PlanB will start emailing you it’s best guess as to the location of your phone. The better the signal where it is, the more accurate it will be.
Next, you will want to send SMS (text) messages to your phone. Don’t have another phone? You can use a friends or do what I did.
Head over the Google Voice. Setup an account. With Google Voice, you can send SMS messages. These apps will text you back, acknowledging your commands. See their websites for a list of commands. You can secure the commands to require a pin code or restrict what numbers can text commands to these (Parents, are you listening? With these tools, you can get a GPS location of where your kids are, snap pictures, and record audio.)
Both AndroidLost and PlanB monitor incoming SMS messages for commands. For AndroidLost you have to tell your phone to launch the app. The phone takes it’s ID from your profile (see Dashboard in Afterthoughts) and matches up to your Google login on AndroidLost.com.
From there, via AndroidLost you can turn on the GPS (doesn’t work on all phones), pop up messages, take pictures, record audio, make your phone say things, and all sorts of useful tools to help find your phone. You can kick off an alarm for 30 seconds to find it in the couch cushions. You can also, and this sort of works, start a web server on your phone and retrieve files from your SDCard (if you’re phone is rooted, maybe more?).
You’ll want to monitor your Gmail Account for details as your phone begins to respond.
If you followed Lesson1, you can self destruct your phone or lock it. (See Afterthoughts)
Lesson 3 is remotely installing apps on your phone works, but your options are limited because you didn’t follow lesson 1.
If you can’t get your phone back – make sure you call your carrier and kill it. YOU are responsible for any charges to your account made by whoever steals or finds your phone.
I chose to leave my phone active and wait for it to come online. When I lost it, the battery was almost dead. On Sprint, I could see they made one call the day after they found it. It was almost 8 days later before my phone came online again. I think they had to find a charger for it. Either way, do this at your own risk.
No lesson, just a bit of free advice. THINK about the risks before you act or don’t act. Only you know what’s best for you. My decision to not immediately deactivate the phone was risky and some may say stupid. The guy who found it made some international calls and I will have to pay for them. For me, though, it was worth it.
I was texting my phone like a mad man begging the person to reply to my texts so I could get my phone back. I was offering a reward, begging, you name it. (BTW, I don’t recommend you threaten) They never responded. Because they didn’t speak English! Consider using Google translate to text multilingual messages. The guy who found my phone couldn’t speak or read English. Granted, he didn’t ask anyone to translate it, but he also didn’t know I was offering him $100 to let me know where my phone was.
Never go alone to get your phone from a stranger, especially you ladies. The holder of your phone may know quite a bit about you. If the finder will meet you with the phone, meet in a well lit crowded public place. Be careful.
How do you know if your phone is online? Via your Google Dashboard. Login to your Google account, go the dashboard, scroll down to the section titled Android Devices. There, you will see your phone(s) or tablet(s). Click More Data Stored About this Device. In a pop-up window, Google kindly gives you the MEID, Registration Date, and most importantly the Last Activity Seen on. That last bit of information is the last time your phone or tablet was powered on and successfully connected to Google. There’s not guarantee the phone is still on, but if the time stamp is very recent you might get lucky. I did. Remember, though, if you changed your password your phone can’t connect. If it shows only a time, that means the device has connected today. In my case, after 8 days, the phone powered on around 11:45 AM yesterday. I check it about 3 hours later and recovery began in earnest.
Lock your device with a PIN or a Pattern. As a developer, I got lazy having to unlock my phone all the time. Lesson learned.
Install recovery software on your devices ahead of time. It may cost you battery life and maybe a little more data usage, but with EMAIL, online banking, Amazon, and pizza ordering available via your phone it’s important to protect your identity, credit, and savings. If the wrong person had found my phone they could have done a password recovery and gotten who knows what information.
Consider using non-system based email apps. By default, there’s an email client on your phone. You can use this for Gmail, Exchange, you name it, BUT YOU CANNOT REMOTELY REMOVE IT AND ITS DATA VIA GOOGLE PLAY. In my opinion, this is a huge oversight on the part of the carriers / Google / manufacturers. In my instance, I had an Exchange account associated setup on the default mail client on my phone. I used the GMail app for Gmail. Via Google Play, I told my phone to uninstall Gmail and delete all the data. The next time my phone came up it was told by Play to delete Gmail off the phone and all my emails. I couldn’t do this with the system app. So as a thought, always consider using a 3rd party app if the app will have personal or sensitive information within it.
If you get a brand new phone, before you do anything install these apps on the phone and play with them. Learn how to erase your SDCard or remotely lock / unlock your phone. Know what its capabilities are. Make your phone “self destruct” before you do anything with it. A self destruct just wipes all personal data off the phone, or factory resets it. So if it’s a brand new phone, I suspect a factory reset won’t do anything but you should carefully read what each recovery app does and what resetting it may do to your phone.
Consider using something like DropBox or Google Drive to automatically push data from your device to the cloud. For pictures, you might also consider setting up a Google+ account! When you install the Google+ app, you get the option automatically upload your pictures to your G+ profile. They are not shared with anyone by default, but it will save a copy for you. This can be invaluable not only for protecting your files but also for when someone says “Hey, send me copies of the pictures you took at that party!”. If you setup a Google+ account, you can find me at http://inzi.com/plus.
I was lucky, but I didn’t sleep at all last night. If you are here because you lost your phone and are trying to get it back, I feel for you and I hope you get it back.
If this script helped you, perhaps consider tossing me a tip via PayPal. I donated $10 USD to AndroidLost. It’s not much, but after coughing up a reward for my phone I’m eating Tuna and Ramen noodles for the rest of the month.