2 hackers just proved that with a little smarts and a lot of persistence, you can break into the best-kept digital safes.
Their target? A Bitcoin wallet containing $3 million in change, locked with a 20-character password generated by the Roboform password manager in 2013. The owner, a certain Michael, lost this sesame and thought his money would be lost forever inaccessible. But that was without counting on the determination of Joe Grand and his friend Bruno, who were determined to accept the challenge.
Michael, who had owned the cryptocurrency since 2013, stored his 43.6 BTC (worth about $5,300 at the time and about $3 million today) in a TrueCrypt encrypted file that contained a Roboform-generated password that he did not enter into a password manager for fear of being hacked. Unfortunately, the encrypted file became corrupted and Michael lost access to his wallet.
Joe Grand, a well-known electrical engineer and hacker, rejected Michael’s first request for help in 2021, deeming the task impossible without a bug in Roboform. However, in 2022, Michael tried his luck again. After months of analyzing Roboform’s code, Joe Grand and Bruno discovered that older versions, prior to 2015, used a method of password generation based on the system clock. Knowing the exact date and time of creation, as well as the parameters of the password, they were able to reconstruct the original password.
At first, Michael did not remember the exact date his password was generated. According to his wallet records, he started transferring Bitcoins there on April 14, 2013. Analyzing the timeline and common settings, Joe and Bruno first searched the range from March 1 to April 20, 2013, then to June 1, 2013, without success. Only after multiple adjustments, and excluding special characters, were they able to generate the correct password created on May 15, 2013 at 16:10:40 GMT.
The bug was in the password generation algorithm of older versions of Roboform, which was not as random as claimed. It allowed you to reconstruct a password by manipulating your computer’s clock to go back in time. Everything is explained in the video below:
It should be noted that as of June 2015 version 7.9.14, Roboform claims to have fixed this flaw and improved random password generation. However, Joe Grand remains skeptical of this Roboform statement as they did not specifically recommend that users generate new passwords for their accounts after this update, potentially leaving vulnerable passwords in circulation.
In short, a password is not infallible even if it is generated by a reputable tool and it is better to use long and complex passwords, change them regularly and activate two-factor authentication wherever possible. Don’t blindly trust password generators either, especially if they are several years old.
In short, be careful and well done Michael, for whom life will surely change from now on.