It is the nightmare of every Bitcoin owner. The password has been forgotten, but the price of the cryptocurrency has risen massively in the meantime. What should I do?
The wallet in question, owned by the anonymous owner, contained 43.6 Bitcoin, which was already worth millions, but without a password the asset was worthless. The password was once generated using the well-known Roboform password manager; that was the only information that could possibly help.
Help from the hacker
The owner then went to the well-known security researcher Joe Grand. The hacker is also known by his pseudonym “Kingpin” and was supposed to help the owner get his Bitcoin. These were stored in the wallet and were still waiting to be opened. But without a password, this usually turns out to be an impossible undertaking.
Joe Grand initially refused the job of cracking the software wallet. After all, the task was to guess the password that Roboform had once generated. On the second attempt, he finally agreed to try. The decisive factor was the information that the wallet owner was able to provide him with about the password.
First, the expert set about disassembling the ten-year-old version of Roboform to better understand how it works. In doing so, Grand discovered a security flaw that limits the randomness of passwords.
This was a first clue. Combined with the parameters of the original password (20 characters with uppercase, lowercase and special characters) and the time period in which it was originally generated, the expert set about finding out.
The disassembled version of Roboform began to regenerate the passwords during the defined period; these were then tried one after the other on the wallet. But the attempt failed.
The parameters in combination with a vulnerability bring success
Then the owner of the lost Bitcoin remembered that he had also generated passwords without special characters at the time. The next version with the adjusted parameters then brought the desired success. In fact, the password for the Bitcoin wallet at that time did not contain any special characters.
In total, the expert spent several months cracking the wallet, but in the end he was successful. But this was only possible because many of the parameters used to create the combination were known. The vulnerability in Roboform has long since been fixed, but it could have been a problem at the time, as Grand explains.
He received 13.6 Bitcoin for his efforts, and the owner still had 30 Bitcoins left, which are worth around 1.9 million euros at the current exchange rate.