Forgot Mycelium PIN

[shamzblueworld]

I've recently started using Mycelium, and now I've forgotten my PIN.
I do have the seeds/keys but is there a way to change pin or find our my pin without having to uninstall and install again and then restore wallet with those keys.
That would be an option right? If I cannot get to my PIN.

[TryNinja]

I'm not sure if this still works, but if you have a rooted android phone, you can try to do that[1] to get your PIN.

If you are using iOS or your phone isn't rooted, you will need to clear the app data or uninstall it, then restore your wallet with the backup seed and setup a new PIN.
[1] https://github.com/mycelium-com/wallet-android/issues/38#issuecomment-33803790

[HCP]

If you can't root your phone and get the PIN from the settings file, then unfortunately aside from simply trying to manually bruteforce the PIN by guessing PINs, there is no way to try and find what the PIN is... otherwise, it probably wouldn't even be worth having a PIN in the first place!

If you have lost the PIN, your best bet is to just restore your wallet using your 12 word seed mnemonic... Unless you had extra private keys in there that you no longer have backups for, you will be able to recover everything.

[Xynerise]

I'm not sure if this still works, but if you have a rooted android phone, you can try to do that[1] to get your PIN.

If you are using iOS or your phone isn't rooted, you will need to clear the app data or uninstall it, then restore your wallet with the backup seed and setup a new PIN.
[1] https://github.com/mycelium-com/wallet-android/issues/38#issuecomment-33803790

I downloaded Mycelium on a rooted phone to test it and it still works.

Pin is still stored in the /data/data/com.mycelium.wallet/shared_prefs/settings.xml

The PIN is in plaintext too.

Is this not a security vulnerability?
A malicious app with root access could read the file and send bitcoin to an attacker's address without the consent of the owner.
People shouldn't run sensitive applications on rooted devices anyway.

[shamzblueworld]

I'm not sure if this still works, but if you have a rooted android phone, you can try to do that[1] to get your PIN.

If you are using iOS or your phone isn't rooted, you will need to clear the app data or uninstall it, then restore your wallet with the backup seed and setup a new PIN.
[1] https://github.com/mycelium-com/wallet-android/issues/38#issuecomment-33803790

I downloaded Mycelium on a rooted phone to test it and it still works.

Pin is still stored in the /data/data/com.mycelium.wallet/shared_prefs/settings.xml

The PIN is in plaintext too.

Is this not a security vulnerability?
A malicious app with root access could read the file and send bitcoin to an attacker's address without the consent of the owner.
People shouldn't run sensitive applications on rooted devices anyway.

Going by this, its better to not root the device and just try to reinstall and restore from the keys?

[Xynerise]

Going by this, its better to not root the device and just try to reinstall and restore from the keys?

Yes.
It's really not wise to use crypto on a rooted phone.
You may have a malicious app without knowing (even Google Play store doesn't filter malicious Apps well enough) which may scan for crypto apps to exploit.

It's safer to just reinstall and restore.

[bitbunnny]

I'm not sure if this still works, but if you have a rooted android phone, you can try to do that[1] to get your PIN.

If you are using iOS or your phone isn't rooted, you will need to clear the app data or uninstall it, then restore your wallet with the backup seed and setup a new PIN.
[1] https://github.com/mycelium-com/wallet-android/issues/38#issuecomment-33803790

I downloaded Mycelium on a rooted phone to test it and it still works.

Pin is still stored in the /data/data/com.mycelium.wallet/shared_prefs/settings.xml

The PIN is in plaintext too.

Is this not a security vulnerability?
A malicious app with root access could read the file and send bitcoin to an attacker's address without the consent of the owner.
People shouldn't run sensitive applications on rooted devices anyway.

This is definetely huge vulnerability. And good to know because I use Mycelium too. I'm surprised how people are easy deciding to use applications like Bitcoin wallets, that are highly sensitive and they could suffer big damage, on rooted phones. This is not smart to do and when you loose coins it will be too late.

[LoyceV]

This is definetely huge vulnerability.

I had the exact same thought when I first read about the clear text PIN storage. But, the PIN is only 6 digits. Even if it would be encrypted, with only 1 million possibilities, a brute force attack would be possible anyway.
The only way to prevent this would be using a much longer password, or slow encryption (especially on old phones), and a rogue app on a rooted phone could still capture it when you enter the PIN.

[bob123]

I had the exact same thought when I first read about the clear text PIN storage. But, the PIN is only 6 digits. Even if it would be encrypted, with only 1 million possibilities, a brute force attack would be possible anyway.

You are right with that.
Mobile wallets shouln't be regarded as secured wallets.
For me, it doesn't matter whether everything of the wallet is perfectly encrypted on the mobile or the pin is stored in plain text.
I only use mobile wallets for small amounts im fine with losing. As long as your mobile is not rooted its 'relatively' safe (for small amounts).

The only way to prevent this would be using a much longer password, or slow encryption (especially on old phones)

I don't think slower encryption would help at all.
Files can always be moved onto a new PC and be cracked there with multiple graphic cards.

Choosing a 'slow' encryption won't stay 'slow' for a long amount of time, since the technology evolves at a fast rate.

[LoyceV]

I don't think slower encryption would help at all.
Files can always be moved onto a new PC and be cracked there with multiple graphic cards.

Choosing a 'slow' encryption won't stay 'slow' for a long amount of time, since the technology evolves at a fast rate.

My KeePass password manager uses millions of encryption rounds, and benchmarks that to take about 1 second on the PC it's installed on. If I would want to brute-force it on my own PC, I could only try one password per second.
Mycelium could do something similar: if it takes 1 second to try 1 password on the phone, you may get 1000 times faster with some heavy hardware, but you still need a much stronger password to make it withstand a brute-force attack for more than 20 minutes.

[Sadari3]

The only way to do this is to root your phone (without deleting it, not all devices support this), and browse the file system and find the PIN settings in the personal data of the Mycelium app.Or you can restore your Mycelium backup on different devices. You should always have a backup and be careful storing bitcoin in android wallet