Categories: Ethereum

Consensual phishing: How to crack your half-forgotten crypto password

Click here to view original web page at

Phil Dougherty has a side hustle as a friendly hacker. By day, he's a software developer at the University of Wisconsin, building free educational games and conducting research on the ways people play them. Meanwhile, back at home, Dougherty is the shepherd of a program that's constantly running down ways to break into other people's cryptocurrency wallets.

Dougherty works with folks who have lost, forgotten or incorrectly written down their Ethereum passwords, locking themselves out of their wallets and forfeiting the digital cash that's lurking within. These people are, essentially, shit out of luck. There's no customer support hotline for Ethereum, no security questions to answer, no "Forgot password?" link.

Cryptocurrency security relies on hashing algorithms that transform a traditional password, such as "banana$123," into a unique string of numbers and letters, called a hash. To get specific, Ethereum wallets use a password-based key derivation function, meaning users input a unique password they can (theoretically) remember, and in return, they receive a key that serves as a unique, secure authorization code. The idea is that it's impossible to reverse-engineer the hash to unlock a user's base password, though a handful of algorithms have been compromised over the years, including MD5 and SHA1. However, as Dougherty's clients have discovered, Ethereum's security system is tight.

"With Ethereum, because it's decentralized, you actually do all this on your own computer and it doesn't even touch the internet," Dougherty told Engadget. "You say, I'm creating a wallet with the password 'banana', and it turns into this mess of a key. And because there's no company interface, there's no one that can help you reset that password if you forget it. So the only way to fix that problem, I guess, is to find clever ways to try using that same hash to try and reproduce the complicated output."

Essentially, you go phishing. In a phishing attack, a hacker attempts to gather information about someone without their consent, commonly through compromised email links and official-looking forms. Ethereum's security protocols may be solid on a technical level, but they can't stop someone from figuring out a password simply by asking the owner what it is, or tricking them into dropping clues.

Only, Dougherty isn't tricking anyone. People come to him and willingly answer personal questions about their password habits. Do they usually capitalize letters or change some to numbers? Do they use their birth year, a favorite location or special symbols?

"Maybe, instead of choosing your favorite city, you chose your favorite movie or an actor or your name, or something like that," Dougherty said. "Over email I just repeatedly ask the person and help massage it out of them where it's not clicking, to break down why the things that they think their password might be, are."

Dougherty then uses a mix of the password-cracking software hashcat and a program he built, called expandpass, which runs through varying, controlled permutations of specific words and symbols, but on a massive scale. On GitHub, he describes expandpass as, "useful for cracking passwords you kinda-remember."

These programs are free and publicly available, but most folks don't have the hardware or the programming expertise to put them to use. Dougherty happens to have the practical knowledge, and his rig is significant: It's running a 1080 Ti graphics card with a 16-core CPU and 64GB of memory. Still, it can take months to crack a password.

If he's successful, the client pays him. In Ethereum, of course. Sometimes, however, Dougherty cuts a project off after a few months, before finding the proper password, and he and the client go their separate ways. He doesn't call this failing.

"There is no fail state, right?" he said. "I could keep trying indefinitely on anything. It's more of a give-up state where it's no longer worth my time or their time to keep iterating on this, to keep my cracking rig running. Because it does consume power. So, there's an interesting negotiation that takes place."

Dougherty got his start in cryptocurrency cracking in 2017, after reading a Reddit post from someone who wanted to brute force their way into their own Ethereum wallet. The Redditor remembered part of their password and generally what it looked like, handing Dougherty a puzzle perfectly suited to his interpersonal coding skills. He and five other programmers ended up racing to crack this user's password. Dougherty won.

"I successfully unlocked that guy's password, and then straight from that post I started getting, 'Well wait, hey, could you try to help me with that?'" Dougherty said. "Things organically grew from there."

Cryptocurrency looks a little less complicated from the perspective of a phisher. From this lens, it doesn't matter how robust the technical protocols are, when humans are much more predictable. Dougherty has encountered a handful of common, inherently human crypto-password quirks that are also potential security risks. For one, a lot of people use words that pertain to the actual function of the password, like "Ethereum" or "wallet."

"I'd say 90 percent and up use their birth year or the last two digits of their birth year," Dougherty said. "And another funny thing is, there is a demographic of people who use cryptocurrency, so they all tend to be born around the same time. These years are a pretty narrow range, which is like, that's a security consideration. Knowing just that isn't sufficient to break in or anything, but it's a start."

Luckily, Dougherty is using this knowledge for good. He normally works with Ethereum, but his method should apply the same way across other wallets and half-forgotten-password scenarios. With potentially game-changing cryptocurrencies on the horizon, such as Facebook's Libra, Dougherty's services should be in high demand. At least, until Zuckerberg and friends enter the cryptocurrency customer service business themselves.

"The thing that's particularly rare about it, actually, is that it's collaborative and consensual," he said. "Because cryptocurrency is so new, I think that this is the first instance where it's useful to have a person in my position, where I can work with a client, consensually, to come to these conclusions."

Images: Phil Dougherty (expandpass); SOPA Images / Getty Images (Ethereum)


Illuminati, Mason, Anonymous I'll never tell. I can tell you this, global power is shifting and those who have the new intelligence are working to acquire this new force. You matter naught except to yourself, therefore prepare for the least expected and make your place in the new world order.

Disqus Comments Loading...
Published by

Recent Posts

Bitcoin Price Chart Forecast: BTCUSD Awaits Pennant Breakout

Bitcoin Price Forecast: A series of lower highs and slightly higher lows has formed a pennant pattern Regardless of direction,… Read More

2 hours ago

Billionaire Blackstone CEO Heaped Praise On Blockchain—But Made A Bitcoin Warning

Bitcoin has won over many from the traditional finance industry , but far more of the investment old guard remain… Read More

2 hours ago

Early Ethereum advisor charged with extortion and arrested

The accused, Steven Nerayoff, violated the agreement made with a blockchain firm. If found guilty, Nerayoff and his associate Michael… Read More

2 hours ago

CME Group Reveals Plan for Bitcoin Options in Q1 2020

Leading derivatives exchange operator, CME Group announced in a press release today that it will launch options on its bitcoin… Read More

8 hours ago

Analyst: Bakkt Launch to Improve Trustworthiness of Crypto Markets

For the past year many participants within the crypto markets have been looking towards the official launch of Bakkt as… Read More

8 hours ago

IBM Stock Gets a Blockchain Pop

IBM (NYSE: IBM ) investors haven’t had all that much to complain about in 2019. After a precipitous drop over… Read More

8 hours ago

This website uses cookies. We use these cookies to collect data about your interaction with our website for the purpose of continuously improving your experience with our site. For more information we encourage you to read our privacy policy.

Read More