Forgotten password for a Bitcoin wallet from 2013 recovered, unlocking 43.6 BTC

[nullama]

Source: https://archive.is/BZal2

In 2013, a man stored 43.6 BTC in his wallet, and protected it with a strong, 20-character password generated using a password manager called RoboForm.

Instead of simply storing this password in the password manager, he decided to store it in a file and encrypted it using a tool called TrueCrypt.

Some time later that encrypted file got corrupted, so he was unable to obtain the password to his wallet.

Now, the interesting part is that because of the way RoboForm generated passwords, it was possible to regenerate the same password and unlock the wallet!

Here's the video that explains this in more detail: https://www.youtube.com/watch?v=o5IySpAkThg

RoboForm used certain parameters like password length, use of upper or lower case letters, etc, which were simply guessed by the "hackers/researchers" based on other passwords that the man used in the past. But the crucial step is that RoboForm used the time of the system to seed the PRNG(Pseudorandom number generator) algorithm to generate the password. This reduced the number of checks dramatically and made it possible for them to crack it.

The password was generated on May 15, 2013, at 4:10:40 pm GMT. They were able to generate the same password that the software gave to the man at that time.

This is a happy ending, with the man now holding 30 BTC (he sold some and also paid the "hackers"), but it is also a cautionary tale:

If you use a password generator, make sure to manually edit it so that it is not possible for people trying to steal your money to do something like this.

[Hatchy]

This video clearly shows, why we as Bitcoiners should be careful of the software we claim to protect or coins or generate passwords for us. If you go through the video, you will see that the hackers were able to reverse engineer the back end code of the so called robo password generator and got access into their software. To me, such software is already a red flag because if they could do it, then others might also do same and equal use it against other users.

In the video, you can see that the hackers claims to be able to help others recover their lost bitcoins. And I know his claims are just to put up a show and draw more clients to himself. Brute forcing a Bitcoin seedphrase is impossible especially when you barely have any idea of the seed. While chosing a password to encrypt or further increase the security of our funds, we should be mindful of the software you use to generate them.

[moneystery]

if they can successfully do this, it means that all roboform users are also vulnerable because hackers can easily crack the passwords they have generated. this may be a concern for all users, especially roboform users, who usually use password generators to generate their passwords, that hackers with all their knowledge can easily crack the passwords they have generated and hack their accounts.

[wxa7115]

if they can successfully do this, it means that all roboform users are also vulnerable because hackers can easily crack the passwords they have generated. this may be a concern for all users, especially roboform users, who usually use password generators to generate their passwords, that hackers with all their knowledge can easily crack the passwords they have generated and hack their accounts.

In a way I am surprised that password managers are still being used, after all you can easily create more secure passwords on your own.

Since if you were to create a password with 10 or more words of length, use words coming from different languages and some of those ‘words’ were composed with numbers and special characters, you will have a password that is very close to be impossible to break, and if you were to store that password offline, the only way for an adversary to break it would be by getting physical access to the password itself.

[pinggoki]

if they can successfully do this, it means that all roboform users are also vulnerable because hackers can easily crack the passwords they have generated. this may be a concern for all users, especially roboform users, who usually use password generators to generate their passwords, that hackers with all their knowledge can easily crack the passwords they have generated and hack their accounts.

The hackers that have been a part of this are probably white hat hackers, most likely that they're going to report this to the RoboForm administration so they can do something about, another thing is that RoboForm is probably not using PRNG anymore so they're probably safe, password managers aren't that safe in the first place after all so I'm not sure that anything changes in all of this, I mean it would've been much safer if you just covered all of your bases and just written it down too, because that way, file corruption might not be a thing that will worry you so much. It's a happy ending for this man, hopefully this will also happen to other people that have their bitcoin locked out.

[davis196]

But the crucial step is that RoboForm used the time of the system to seed the PRNG(Pseudorandom number generator) algorithm to generate the password. This reduced the number of checks dramatically and made it possible for them to crack it.

So basically this Roboform password manager service sucks and the users of that service should run away and replace it with another service.
Congratulations to the guy, who got his BTC back. If I remember this correctly, the Bitcoin price was around 1K USD back in 2013(during the first major bull run), so this guy did the right thing by investing in BTC and try the best he could to protect his wallet and passwords.
There's a reason why all cold BTC wallets tell you to write your seed phrases and passwords on a piece of paper. Password manager software and services should not be trusted.

[Davidvictorson]

Here's the video that explains this in more detail: https://www.youtube.com/watch?v=o5IySpAkThg

I like the video. It is like a documentary with very interesting stories. And the stories told here are really very cool, it makes me wish I have some experience with ethical hacking. Learning that there are many people who have lost a lot of bitcoin through fault of theirs or not. Some are being able to be recovered and some are not. If Micheal, had created multiple backups that included the passwords and encryption keys and stored them in different locations, he would have saved himself, the 13.6BTC paid the hackers for their service.

[Zlantann]

If you use a password generator, make sure to manually edit it so that it is not possible for people trying to steal your money to do something like this.

When people want to go the extra mile in keeping passwords, they might end up losing it. For now, there is no alternative to writing passwords manually and keeping them in a safe place. This is because these electronic tools have a high tendency to have issues. If hackers can guess the password and the software can regenerate the password, this means such a tool is not safe. Many people have lost their money because of the same problems, so I count this guy lucky. Losing such an amount can cause lifelong regret or even depression.

[Forever101]

To keep a password should be ones choice, with the look of things , every means of keeping ones password has its advantage and disadvantage. One can choose which one seems good to them after much observation on which one will serve them best. The most things is the safety of the password.

[Lucius]

~snip~
If you use a password generator, make sure to manually edit it so that it is not possible for people trying to steal your money to do something like this.

I've never used such generators, it simply didn't make sense to me considering that anyone can create a password of quite satisfactory complexity that will be successful in resisting any brute force attack. However, I myself have seen many times that people are quite careless and use such simple passwords that they are easy to guess.

However, in this specific case, this user was actually lucky, because if by any chance he (without a program) generated and lost such a password, the chances of breaking it would be minimal.

[DaveF]

Also, keep in mind this was an 11 year old piece of software that has not had this particular vulnerability in 9 years.
Not excusing RoboForm but a lot has changed in the last decade.

Would be interesting to see how modern password managers & generators stand up to attacks.

-Dave

[Reatim]

This is a happy ending, with the man now holding 30 BTC (he sold some and also paid the "hackers"), but it is also a cautionary tale:

Well at least now I know how to hold bitcoin effectively: just forget your password!

No but joking aside while this might have ended up in favor of the man, this just shows how easy it is to crack a password that is generated by this particular software. In general, I just wouldn’t trust any kind of software even google to generate a password for me. I am sure we are all capable of making passwords that are difficult to guess or reverse. Just make sure that you store it somewhere safe and one that can not access without your permission

[ABCbits]

If you use a password generator, make sure to manually edit it so that it is not possible for people trying to steal your money to do something like this.

Feel free to do that if that makes you feel safer. But personally i wouldn't worry about since it require the attacker,
1. Steal my encrypted wallet file.
2. Know that i use certain password generator software.
3. Know password length and which character type i requested from the software.

And it's not like all password generator software have same flaw as mentioned by the archived article.

[lovesmayfamilis]

Did I understand correctly that he forgot the wallet password? But using TrueCrypt also requires a password, so it turns out that he knew it. As far as I know, all the advertising that was carried out about this TrueCrypt program makes it almost impossible to decrypt its passwords and disks. Does this mean that something has also changed?
As for the Roboform, I have had a long-standing friendship with it for quite a while; probably even now, there are several passwords created by this generator. Previously, it was very convenient to store all the forms needed to fill out in this program, but when the developers switched its saving to online mode, trust instantly disappeared.

[albon]

Did I understand correctly that he forgot the wallet password? But using TrueCrypt also requires a password, so it turns out that he knew it. As far as I know, all the advertising that was carried out about this TrueCrypt program makes it almost impossible to decrypt its passwords and disks. Does this mean that something has also changed?
As for the Roboform, I have had a long-standing friendship with it for quite a while; probably even now, there are several passwords created by this generator. Previously, it was very convenient to store all the forms needed to fill out in this program, but when the developers switched its saving to online mode, trust instantly disappeared.

According to what was mentioned in the archived article above, the 2013 version of Roboform that this person used to generate the 20-character password, which he forgot because he did not store it in his manager, contained a vulnerability that existed until the 2015 versions, which made it easier for the specialists this person consulted to predict and smoothly crack the generated password by knowing the date and time of the user's computer and some other parameters.

I see that what this person did in the past has become outdated due to the lack of other safer alternatives available now. It is advisable to avoid using generate or manage password programs because, as we have seen, these programs can contain vulnerabilities that can be exploited, thus putting the wallet owner at great risk. Indeed, since Roboform has now been developed into an online mode, it has lost the security factor it previously had.

[Dunamisx]

Source: https://archive.is/BZal2

In 2013, a man stored 43.6 BTC in his wallet, and protected it with a strong, 20-character password generated using a password manager called RoboForm.

Instead of simply storing this password in the password manager, he decided to store it in a file and encrypted it using a tool called TrueCrypt.

The start of the story seems confusing a bit to me, he used a password manager but did not store his generated password on the password manager, instead finds another more secured means, but my own question in the first place is that, why did he have to use a password manager in the first instance, they generated to him some set of password in which i also believe they could have a backup of it on their central server because this is a third party organization we are talking about, am just curious about the whole story and how he managed to recover his money back.
 

[nullama]

~snip~
The start of the story seems confusing a bit to me, he used a password manager but did not store his generated password on the password manager, instead finds another more secured means, but my own question in the first place is that, why did he have to use a password manager in the first instance, they generated to him some set of password in which i also believe they could have a backup of it on their central server because this is a third party organization we are talking about, am just curious about the whole story and how he managed to recover his money back.
 

Local password manager generates password (no online services).

Instead of using the manager to save the password, he wrote it in a text file and encrypted the file.

That file got corrupted, therefore losing access to the password.

The researchers were able to regenerate the same password because the password manager used the time of the system as the seed, so they just tried a bunch of times and it worked.

They had the rough estimate of the time, and some parameters like the length of the password as well as the type of algorithm the generator used.

[As03]

I saw the video on youtube.
Am i the only one thinking this is weird as F ? especially them not showing the unlocking of the wallet or anything ?

Sad that I question everything I guess but there's so many fake videos.

[pawanjain]

I am not sure whether I should be happy reading the post or feel bad about it. I'll just list both of them down though.

I am happy about the fact that the person received his funds back and is now holding 30 BTC which is a pretty huge amount of money.
I am happy that the hackers got a nice reward for their efforts.
I am happy that 43.6 BTC is now active in the circulation supply again which means more BTC for us  .

I feel bad because the hackers will now be able to use the same technique to hack other users of Roboform as well.
I feel bad because the user initially used a wrong technique to store his password while being a bitcoin hodler.
Every bitcoin holder should know the effective way to hold their coins.

[peter0425]

Also, keep in mind this was an 11 year old piece of software that has not had this particular vulnerability in 9 years.
Not excusing RoboForm but a lot has changed in the last decade.

Would be interesting to see how modern password managers & generators stand up to attacks.

-Dave

Is roboform not used these days anymore and the people behind it just stopped working and developing it? Because if yes then that would make sense how it only took a couple of hackers to get back the password. New technology has emerged in the last decade so we can expect that they are much more secure and safe and not at all easily compromised.