How researchers cracked an 11-year-old password to a $3 million cryptocurrency wallet

Share

“Ultimately, we were lucky that our parameters and time frame were right. If any of these statements were wrong, … we would still be guessing blindly,” Grand says in an email to WIRED. “It would take much more time to pre-calculate all possible passwords.”

Grand and Bruno created the movie to further explain the technical details.

RoboForm, created by the American company Siber Systems, was one of the first password managers on the market and it currently has over 6 million users around the world – according to the company’s report. In 2015, Siber seemed to have fixed the RoboForm password manager. With a cursory glance, Grand and Bruno couldn’t find any indication that the 2015 version’s pseudo-random number generator was using computer time, which makes them think they removed it to fix a bug, although Grand claims they would have had to check this more carefully to be sure.

Siber Systems confirmed to WIRED that it resolved the issue in version 7.9.14 of RoboForm released on June 10, 2015, but a spokesperson did not respond to questions about how it did so. IN changelog the company’s website only mentions that Siber developers made changes to “increase the randomness of generated passwords,” but does not say how they did it. Siber spokesman Simon Davis says that “RoboForm 7 was discontinued in 2017.”

Grand says that without knowing how Siber fixed the problem, attackers may still be able to regenerate passwords generated by versions of RoboForm released before the 2015 patch. He is also not sure whether current versions contain the problem.

“I’m still not sure I would trust it without knowing how they actually improved password generation in newer versions,” he says. “I’m not sure RoboForm knew how serious this particular weakness was.”

Customers can also continue to operate passwords generated in early versions of the program before the patch. It does not appear that Siber ever notified customers when it released a revised version 7.9.14 in 2015 that they should generate modern passwords for critical accounts or data. The company did not respond to a question on this matter.

If Siber had not informed customers, it would have meant that anyone, like Michael, who used RoboForm to generate passwords before 2015 and continues to operate it could have vulnerable passwords that could be recovered by hackers.

“We know that most people don’t change their passwords unless asked to do so,” Grand says. “Of the 935 passwords in my password manager (not RoboForm), 220 of them are from 2015 and earlier, and most of them are [for] sites I still use.”

Depending on what the company did to fix the problem in 2015, newer passwords may also be vulnerable.

Last November, Grand and Bruno deducted a percentage of the bitcoins from Michael’s account for the work he did, then gave him a password to access the rest. Bitcoin was then worth $38,000 per coin. Michael waited until the coin price rose to $62,000 and sold some. He now has 30 BTC worth $3 million and is waiting for the value to increase to $100,000 per coin.

Michael says he was lucky he lost the password years ago, because otherwise he would have sold $40,000 worth of bitcoin for the coin and lost a larger fortune.

“It was a good thing financially that I lost my password.”

Latest Posts

More News