While very few of us could claim to be enjoying a stellar start to the year amid the coronavirus pandemic and the threat of global civil unrest, spare a thought for Stefan Thomas. The German-born programmer who lives in San Francisco is locked out of $277.5m (£203m) worth of bitcoin after forgetting the password to a hard drive.
The drive, which contains the keys to a digital wallet holding 7,002 digital coins of the cryptocurrency, allows 10 attempts at guessing the password before it seizes up and encrypts its contents, losing the hundreds of millions forever.
Mr Thomas was given the bitcoin in exchange for creating an animated video called ‘What is Bitcoin?’ 10 years ago, but lost the digital keys to the wallet later that year. While each bitcoin was worth $2-$6 at the time, they’re now worth $39,000 each at the time of writing as a result of the currency’s volatile fluctuations.
He has already tried eight of his most commonly-used passwords, leaving him with just two attempts to retrieve the money. “I would just lie in bed and think about it,” he told the New York Times. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.” He has since put the IronKey hard drive in a secure facility in part to stop himself overthinking it, adding: “I got to a point where I said to myself, ‘Let it be in the past, just for your own mental health’”.
Mr Thomas is far from alone. Around 20 per cent of the existing 18.5m bitcoin— currently worth around $146bn — appear to be in lost or otherwise stranded wallets, according to the cryptocurrency data firm Chainalysis, money which may never be recovered. James Howells, an IT worker from Newport who accidentally threw away a hard drive containing even more bitcoin than Mr Thomas (some 7,500 coins, worth $300m) in 2013, is currently offering Newport City Council 25 per cent of the money to let him search its landfill site, which the council says it not possible under its licensing permit.
Likelihood of retrieving fortune is ‘moderately low’
As it stands, even if Mr Thomas called in cryptography experts to try and crack into the IronKey, the chances of recovering his fortune are “moderately low,” according to Jake Rogers, chief information security officer at cryptocurrency custodian Copper, which stores its clients’ cryptocurrency in secure offline storage.
“IronKey devices are very well regarded in the industry as being impenetrable,” he told i. “The experts would need to find a flaw or an exploit to crack that very high level of encryption, it would be a significant endeavour. I would be very surprised if they managed to get into it.”
People who pay to store their crypto with custodians are protected by a technology called MPC (Secure Multi-Party Computation) that splits an account’s private key into three pieces, one of which goes off to a trusted third party, meaning if a client happens to forget their password, they’re able to recover it.
While very few of us have millions of pounds at stake if we forget a password, Mr Thomas’ dilemma highlights the inherent problem with them – they need to be secure enough to prevent them from being weak enough for hackers or other malicious individuals to guess, but simple enough for their creator to remember, points out Peter Yapp, former Deputy Director at the UK’s National Cyber Security Centre (NCSC) and partner at Schillings.
“There are huge long lists of easily crackable passwords that the majority of people use,” he says. “It’s amazing how people go for the lowest common denominator and the simplest things – with work-related accounts they’re often using the name of the company they work for or even the term ‘password’ itself, a hacker doesn’t even have to think about it.”
Weak cybersecuity heightens risk of hacking
Many people still store passwords in Word documents saved on their computers or even in easily-searchable spreadsheets, despite the pleas of security experts to avoid keeping records of passwords in non-encrypted forms, he says. The randomly-generated passwords that web browsers including Google Chrome and Apple’s Safari are able to suggest and store are much better than using (and reusing) weak passwords across multiple sites, as are free and paid-for password managers such as OnePassword, LastPass, Dashlane and Keeper Password Manager and Digital Vault, which store login information securely, suggest new complex passwords and require you to remember just one password – the one that lets you into the manager itself.
“Bill Gates predicted the death of the password 17 years ago, and here we are, still absolutely reliant on them,” Mr Yapp points out. “There’s been all sorts of initiatives to try and get rid of passwords but we’ve still not managed it because it’s really difficult to do. I don’t think they’re going away any time soon.”
While Mr Thomas admits he already has more money than he knows what to do with thanks to remembering the passwords to various other bitcoin riches, it’s possible we’ll never know if the evasive password ever hits him in a eureka moment.
“Very few people have gone public in acknowledging they’d locked themselves out of so much money,” Mr Rogers says. “If I were in his position and managed to uncover the fortune, I’d probably be very quiet past that point. We may never hear the outcome.”
For his part, Mr Thomas seems relatively philosophical, urging other crypto holders to regularly test their backups to ensure they’re still working. “I hope others can learn from my mistakes,” he tweeted on Tuesday. “An ounce of foresight could have prevented a decade of regret.”
What makes a good password? Three little words…
The UK’s National Cyber Security Centre (NCSC) has long championed using three random words as a password, such as ‘cactuscastlemint’. Personal details like family or pet names, place of birth or sports team related words are too obvious and easily guessed, it points out, saying that a combination of random words is more memorable than long strings of numbers and letters. “If it’s too complex, you’re never going to remember it,” says Mr Yapp.
Mr Rogers suggests turning on two-factor authentication wherever possible, for example, sending a text or an email to an associated phone number or email address to enter a code or other form of approval in order to gain access to an account. “Multi-factor verification is becoming far more important than the password”.