Do you remember the first forgotten password of your life? Okay, sorry, phrased like this it may sound absurd since, if you forgot it, how could you remember it now? I mean if you remember the first time you forgot a password. Because, of course, now forgetting a password for an online service is not a major problem, since you have the password recovery function, but what would happen if you forgot the password to access the first email service, where you Did you get discharged back in the nineties? I am not saying that it is my case, but an example of a serious problem with a forgotten password.
On the other hand, when we talk about passwords, we tend to associate them with online services, forgetting that there are many other fields of application of them, and that we can summarize with a single word: files. And, of course, in this case, in the case of a forgotten password and that was the one that gave us access to its content, we will not have the key recovery function that they do offer us online services. That is, we will have a problem, the quantitative assessment of which will depend directly on the value of the content of said file.
Ars Technica publishes today an interesting article about it, in which it echoes a real case, in which a forgotten password, and that protected access to a file in zip format, it could have cost its owner $ 300,000. And that was the value, in exchange, of the bitcoins that had been saved in the compressed file.
The story begins in January 2016, when a person acquires bitcoins worth $ 10,000 and, to protect them, save them in a compressed file on your laptop. A compressed file that is effectively password protected. Time passes, the value of the cybercurrency increases substantially and, when the owner of the bitcoins tries to recover them, he discovers that you have forgotten the password you used to protect the zip file.
Aware that the forgotten password can be very, very expensive, and far from giving up, this person search for information on the internet and find an essay written by security expert Michael Stay, published now about two decades ago, and in which the expert affirms that it is possible to find out the password for these types of files. A ray of light and a cable to pull, so the owner of the bitcoins, neither short nor lazy, contacts Stay and explains his situation, and the cost that the lost password may have for him.
Over the years, the security features around passwords have evolved substantially. According to Stay, the first implementations of the same were not very secure, some could be deciphered almost immediately. Over the years, however, the industry has been betting on more and more secure standards, to the point where, with current technology, and except in the case of choosing easily deductible passwords, breaking the encryption of a file of this kind can be impossible task.
Following an exchange of messages and the collection of certain information, the owner of the bitcoins and Stay reached an agreement, based on which the security expert would charge $ 100,000, of the 300,000 that the bitcoins were worth at that time, if he finally managed to find the forgotten password. And, after making some inquiries, in addition to verifying that his contact was the legitimate owner of the file, he was able to find out with which application the zip was created and, surprise, the implementation of the encryption function in it was “attackable” .
To achieve this, the work was divided into two phases, a first of defining the attack and gathering elements for it, and a second in which all this material would be used, on a platform composed of several cloud computing systems, to try to find the forgotten password. A months-long job that nonetheless provided a fun and challenging task for Stay.
And what happened in the end to the forgotten password? Luck was on the part of the researcher and the owner of the bitcoins, since not only was it possible to recover it, but also, thanks to Stay’s excellent planning, it could be done in a much shorter period than originally planned. Something that both parties appreciated, because halfway through the process, bitcoin entered a downward trend that greatly scared both of them.
The happy ending of this story could, without a doubt, have been very different. If the owner of the bitcoins had used an application with a better implementation of the encryption functions, or if the file had been created more recently, it is likely that the forgotten password could never have been recovered (Well, I qualify that never, changing it to “until the actual arrival of quantum computing”). And that’s why, from time to time, it pays to remember how useful password managers are.
If you want to know the full story of the forgotten password, in this video (in English) you can hear it from the mouth of Michael Stay himself
Image: Santeri Viinamäki