How to Unlock Your Half-Forgotten Crypto Passwords

Cryptocurrency security hides user passwords via hashing algorithms that change a normal password into a unique string of numbers and letters, called a hash. For example, Ethereum wallets use a password-based key derivation function, meaning users input a unique password they can remember, and in return, they get a key that works as a unique, virtually uncrackable, authorization code. Only a small number of algorithms have been compromised over the years, such as MD5 and SHA1.

"With Ethereum, because it's decentralized, you actually do all this on your own computer and it doesn't even touch the internet. You say, I'm creating a wallet with the password 'banana', and it turns into this mess of a key. And because there's no company interface, there's no one that can help you reset that password if you forget it. So the only way to fix that problem, I guess, is to find clever ways to try using that same hash to try and reproduce the complicated output," Phil Dougherty, software developer at the University of Wisconsin said.

How to reset your lost Ethereum password.

Basically, you go phishing. During a phishing attack, a hacker attempts to gather information about their target without their knowledge and consent, usually through compromised email links and official-looking forms. Ethereum's security protocols are quite strong on a technical level, but they can't prevent a person from figuring out a password simply by asking the owner what it is, or tricking them into giving it up.

The scary part is that the victims willingly answer personal questions about their security. Do they capitalize letters or change some to numbers? Do they use their birth year, a favorite movie or song? What about special symbols?

"Maybe, instead of choosing your favorite city, you chose your favorite movie or an actor or your name, or something like that. Over email I just repeatedly ask the person and help massage it out of them where it's not clicking, to break down why the things that they think their password might be, are," Dougherty commented..

Once Phil has that knowledge he can then use a mix of the password-cracking software hashcat and a program he built, called expandpass, which cycles through varying, controlled permutations of specific words and symbols, however, on an extremely large scale. That way he can crack passwords with only bits and pieces of information.

Pretty much anyone can get these apps, but not everyone can use them effectively. It takes a combination of skill and hardware to make good use of them. You're gonna need a lot of RAM and a powerful CPU to crack passwords and even then it will take a significant amount of time. Weeks to months depending on the password and the data you have.

So if you have the patience, a bit of knowledge, the necessary hardware and at least a bit of information on your lost Ethereum password you could potentially crack it with hashcat Dougherty's expandpass app.

March 13, 2020

Leave a Reply