Tech Journal Back to Tech Journal

How can I recover a lost password on my Palm?

The following story is just me being proud of myself, and if you ever get stuck in the same way - might come in handy.

I was playing with my Palm, and since the power button has become kind of stuck, I decided to set the "romantic stroke" (drawing a line from graffiti to screen) to do a power off. Except silly me, I forgot I had a password set. Long story short - my palm is locked. Of course, I don't remember the password.

I read online, looking for "password" and "palm"... Nothing useful. I suddenly remember that my Palm Desktop also allows me to read private records - so it must have my password!

I finally reach which lets me know that the password is stored in "users.dat " in my Palm Desktop directory. Yay! I can now read the file and find the password. Almost. It's encoded. Hmm... Meanwhile I run across "Win32::Palm::Install::UsersDat" a Perl module for reading users.dat - still no luck. All it can do is display the same encoded password.

Relevant Data from


Field Name Type Size Comments
User Count Short 2*Byte The count of users
Class Flag Short 2*Byte 0xFFFF value to indicate a class entry follows
Class entry Class-Entry   CUser class name
User entry User-Entry   occurs user count number of times


Field Name Type Size Comments
Hotsync ID Long 4*Byte Unique hotsync id for this user. Values less than 256 are reserved and indicate a user profile record
NLength Char 1*Byte Length of user Long Name
Long Name Char String User Long Name of NLength
Dlength Char 1*Byte Length of user directory name
Dir Name Char String User directory name of DLength
Active Short 2*Byte value 0x0001 indicates an active user that has hotsynced with this PC before.
PWLength Short 2*Byte Length of user password, if any.
Unknown Short 2*Byte Unknown purpose. If you discover its purpose, please let me know.
Password Char String A 32 character encoded string that represents the user password.
Important: This field is present only if the PWLength is non-zero.
Unknown Short 2*Byte Unknown purpose. If you discover its purpose, please let me know.
Variable Data Flag Short 2*Byte 0xFFFF value to indicate a class entry follows. If one does, it will be immediately followed by Conduit Entries for the Permanent Sync settings.
0x8001 value to indicate no more data for this user.
0x8003 value to indicate Conduit Entries follow for this users Temporary Sync settings.
Note: Any other value is an unknown value, you should continue to read shorts from the record until you encounter one of the above values or EOF to indicate the end of record for this user.
Variable-Data Variable-Data   See Variable Data Flag field for an explanation.

More reading. More dead ends. Finally I get to which tells me that the password field on the Desktop is just an MD5 hash of my actual password. Which is totally awsome! I mean, my password couldn't be more than 10 characters (since I know me - I'm too lazy.) - so I'll just generate the 26^10 passwords, hash them, and run the remaining ones thru a dictionary.

I was about to do that when I got to -- given an MD5 hash, it'll display some dictionary-words that match it.

Bottom line: it worked! I got my password back. But I guess it was too easy - the password was "grep"... But since I never use that as a password, I guess I'm lucky I found it... :-)

Last updated on 2007-01-29 14:00:00 -0700, by Shalom Craimer

Back to Tech Journal