- A man named Michael lost the password to a Bitcoin wallet that held tokens worth $3 million. The password was created in 2013 with RoboForm’s random password generator.
- Thankfully, two security researchers were able to help him out by using a vulnerability in the old version of the password generator.
- The vulnerability has now been fixed but only passwords created after 2015 will be secure after the update.
In a bizarre new case, two security researchers have managed to crack a password that was lost for over 11 years, recovering bitcoins worth $3 million.
The owner of the wallet, Michael, shared the incident in a video and said: “I generated the password, I copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted.”
However, he lost the passcode when the encrypted part of his computer that contained the password became corrupted. And since it was a random password generated by RoboForm’s password generator, there was no way he could recall it.
At the time, the lost bitcoin was only worth a couple of thousand euros, so he let it go with a heavy heart. However, this incident dates back to 2013 and a lot has changed since then. The value of the same bitcoins rose by 20,000 percent, making him reach out to security researchers to help recover the money.
He reached out to Electrical engineer Joe Grand (also known as Kingpin) who initially refused the job but agreed after he was able to come up with a novel method to hack the initial password generator.
Michael now retains about $2 million worth of Bitcoins which he plans to hold on to until each token is worth $100,000.
Grand teamed up with his colleague Bruno and used a reverse engineering tool developed by the US National Security Agency (NSA) and disassembled the password generator’s code to get the password.
After the job was done, a portion of that Bitcoin went to Grand and Bruno, and another small part of it was sold off.
Talking about the incident, he also added that in a way he is grateful he lost his password. Otherwise, he might not have held onto these tokens for this long.
RoboForm’s Outdated Password Generator
While this incident was a win for Michael, it also sheds light on how vulnerable RoboForm’s password generator is. Ideally, it’s supposed to create a new and unique password every single time, but apparently, that’s not the case.
While cracking this password, Grand learned that if you can control the time, you can control the password it creates. In simple terms, if they can make the generator feel it’s still 2013, it will create the same password. So that’s what they did.
Since they didn’t know the exact time when the password was created, the duo generated millions of passwords around that time period and were eventually able to crack it.
It’s important to note that this vulnerability has been fixed now. So any password that was created after 2015 using RoboForm’s password generator cannot be hacked with this time-based approach.
A Bit About RoboForm
RoboForm is one of the best password managers around with an industry experience of 20 years. With over 6 million individual users and 40,000 business users, RoboForm is a trusted name with an impeccable track record. It has never been involved in any data breaches in the past.
And even though there have been vulnerabilities (like the one discussed above), all of them have been fixed by their security experts in due time.
As our detailed RoboForm review found out, The platform uses the standard AES-256-bit encryption protocol with features like secure password sharing, safety assessments, web monitoring, and two-factor authentication, among others.
The plans start at just $2.49/month. Plus, there’s even a free-forever plan.
Our Editorial Process
#Researchers #Recover #BTC #Password #Roboform #Vulnerability
+ There are no comments
Add yours