- A security researcher has cracked the password to an 11-year-old Bitcoin wallet, recovering over $3 million in the cryptocurrency
- Joe Grand, also known as ‘Kingpin’, has led the effort to break into an encrypted file holding 43.6 BTC
- Grand has managed to regenerate the lost password by setting his computer clock back to the time it was created
A security researcher has successfully cracked the password to an 11-year-old Bitcoin wallet, recovering over $3 million in the cryptocurrency. This effort was led by electrical engineer Joe Grand, known in hacker circles as ‘Kingpin’, who was hired to break into an encrypted file containing 43.6 BTC, stored since 2013. The owner’s password was lost when the encrypted file containing it became corrupted, but Grand managed to regenerate the password by setting his computer clock back to the time it was created.
Corrupted File Led to Lost Password
The bitcoin had been secured with a complex password generated by Roboform, a random password generator. The wallet’s owner, choosing to remain anonymous, revealed in a video produced by Grand how he “generated the password, copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted.”
The situation went south, however, when the encrypted portion of the owner’s computer, which held the critical password, became corrupted. At the time, the loss amounted to only a couple of thousand dollars, which was “painful but OK” according to the owner. However, the subsequent meteoric rise in Bitcoin’s value, increasing over 20,000 per cent in the years since the password issue, transformed the lost bitcoin into a significant fortune, prompting the owner to seek Grand’s expertise.
Passwords Were Not Entirely Random
Initially hesitant, Grand eventually accepted the challenge after devising an innovative method to hack the password generator. Utilizing a reverse engineering tool developed by the US National Security Agency, Grand disassembled the code of Roboform’s password generator. He discovered that contrary to expectations, the passwords generated by the older version of Roboform were not entirely random:
In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has, [but] in this version of RoboForm, it was not the case. While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password.
Grand’s breakthrough came with the realization that by manipulating the system’s clock to the exact moment in 2013 when the password was originally created, he could replicate the same password. With only an approximate timestamp to guide him, Grand and his colleague Bruno generated millions of potential passwords, ultimately succeeding in cracking the code.
Since then, RoboForm has updated its platform, enhancing the randomness of its password generator and rendering Grand’s time-based hacking technique ineffective for passwords created after 2015.