$25bn down the back of the sofa

Image for post
Image for post

♬When you’ve lost the password, for your bitcoinz …Who ya gonna call? … Crypto-hypnotists♬ ♬I ain’t afraid of no private key♬

When I was young — and when we have no money for sweets and comics — me and my sister would raid the sofa, as it tended to be full of money that had fallen out of people’s pockets. So either pockets are better than they used to be or sofa’s are built better, there just doesn’t seem to be as much money that falls down them now (but maybe I just haven’t looked recently).

But there’s another place to look … and it’s in the cryptocurrency space … lost bitcoins. These might be bitcoins that were purchased a while back, and are now worth a great deal of money, but where the owner has lost the password to get access to the wallet. Chainalysis, think that there are 3.7 million “lost” bitcoins (about $25 billion in worth), and which have not been touched for years. Around $2 billion of this is sitting with Satoshi Nakamoto, and who might have the password, or is perhaps “he” is busy running a brute force attempt on the wallet. It is thought, too, that there could be, at least, 300 wallets which contain between 1,000 ($300,000) and 10,000 ($3million) bitcoins.

In fact, there’s a good market to be had in trying to get people to remember their Bitcoin wallet passwords. This has brought a growth in “crypto-hypnotists” and who say they will hypnotise you and unlock the place of your mind where your password is stolen. Typically questions are … “What is your favouriate place?”, “Can you tell me the names of your pets?”, “Where do you come from?”, and the usual things that people derive their password from. Jason Miller, a hypnotist from South Carolina-based, asks for half a bitcoin in fees for three sessions, and then 5% of the recovered amount.

So let’s explain how the wallet works. Well when we create a new wallet we create a public key and a private key — the key pair. The way that a transaction works for Alice sending Bob some bitcoins, is that Bob sends his Bitcoin ID, and then Alice creates a transaction that says she will pay him so many bitcoins. She then signs the transaction with her private key (this is an encryption process that proves her ID and the contents of the transaction). After this she adds the transaction on the blockchain, and within 10 minutes the miners will have picked it up, and, if they agree to it, it will be added to the blockchain. Others can prove it was Alice who signed it, as she can provide the associated public key:

Image for post
Image for post

Obviously the keys are not created randomly, as it would be almost impossible to remember the 256-bit keys, so we use a pass phrase, which is fed into a seed generator and which then accesses the wallet — and thus the private key in the wallet:

Image for post
Image for post

So, apart from a crypto-hypnotist, how else might Alice recover the keys from her wallet. Well the first might be a brute force on finding the private key associated with the public key. Well this has virtually no chance of succeeding. The private key is generated from a 256-bit random number [here]. Even if we had every single computer in the worldswitched on and trying the keys, it would take more than:

3.6 million million million million million million million million million million million million million million million million years

to find the key by brute force. So we are left with cracking the seed of the wallet, which is much simpler. For this we can make a simple calculation called the key entropy, which is:

Key entropy (in bits) = log₂(Number of passwords)

and as you don’t have a log₂() on your calculator, we can use log₁₀() as:

Key entropy (in bits) = log₁₀(Number of passwords)/log₁₀(2) [here]

So, if we had around 1 million passwords that we would choice from then the key entropy is:

Key entropy (in bits) = log₁₀(1,000,000)/log₁₀(2)

and which is approximately equal to 20 bits. So our key is just 20 bits long, and it would only take a maximum of 2²⁰ attempts to find the password. With a GPU that cracked at 1 billion attempts per second, it would take 1 milli second (one thousands of a second) to crack every password.

And so we typically are forced to use long passwords, and with additional characters, but often these are guessable (as we do not have much storage for remembering long and complex passwords). One tool which can be used to recover passwords is BTCRecover:

c:\btcrecover-master> python btcrecover.py --passwordlist pass.txt --wallet wallet.data
Starting btcrecover 0.17.10 on Python 2.7.13 32-bit, 16-bit unicodes, 32-bit ints
Wallet difficulty: 1024 PBKDF2-SHA512 iterations + ECC
Using 6 worker threads
0 of 2 [----------------------------------------------] 0:00:00, ETA: --:--:--

Here is me creating a wallet and then using the tool (8m46s):

The methods used by the tool are the typical ones that are used to crack passwords. Basically it generates the password, and then tries it on the wallet. If it gets an exception, it moves onto another possible password.

Tokens

With this the user will use a number of tokens in the password and then link them together, such as:

  • bill

and which would generate tokens of billtest, billedinburgh, testedinburgh.

Mutual exclusion

These would define that we won’t use two things together, such as:

  • bill

and which would generates billtest, billtest1, billtest2, but not billtesttest1.

Required Tokens (+ to require string in all passwords)

If we know for a fact that we used a certain word in the password, we can make sure it is included with a “+” symbol in the word list:

  • +bill

and which takes tokens and adds them eg billtest, billedinburgh, and not testedinburgh.

Anchor (start of the string, “$” at the end)

If we know that we always start a password with a given word or end it (which is less likely), then we can add an anchor (^ for the start and $ for the end):

  • ^bill

Generates billtest, billtest1, billtest2, and not test1bill.

Positional anchors

We might also know the position that words are likely to be added in, so we can add a positional anchor:

  • ²^bill

and which takes tokens and adds them eg testbill, edinburghbill (and where “bill” is placed in the 2nd position).

Numbers

Unfortunately most people, when asked to add a number onto their password, will typically put it at the end, so we can accomodate this with a “%d” identifier:

  • bill%d

and which takes tokens bill1, bill2, and so on.

And then there are a whole lot of other options we can use in the command line that might catch our password:

  • max-tokens (the maximum tokens to use)

Conclusions

If you want to remember your password, pick something like a phase from a song, and change it in a way that you know (and not just that you make the first character upper case, and add a number at the end).

If you want to stop your wallet from being hacked:

  • At least 12 Characters for pass phrase.

Oh … it anyone has a wallet that needs cracked, I am available for psychic sessions ;-)

I did some analysis — in class — on final year students and their passwords, and it is here:

https://www.linkedin.com/pulse/analysing-passwords-prof-bill-buchanan-obe-phd-fbcs/

… and you can see that Cyber Security students fall for the same old methods that everyone else does (eg add a number at the end and make the first character the uppercase one).

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store