In 2014, i bought 25,000 dogecoin as a joke. In 2021, it was briefly worth more than $17,000. The problem was that I couldn’t remember the password. Determined to get my coins back, I embarked on a journey that exposed me to online hackers, the math behind passwords, and a lot of frustration.
While most people don’t have thousands in forgotten cryptocurrency, everyone relies on passwords to manage their digital lives. And as more and more people buy crypto, how can they protect their assets? We spoke to a host of experts to find out how to create the best passwords for your digital accounts and, if you have crypto, what your basic storage trade-offs are. Let’s dive in.
How to hack your own crypto wallet
There are a few common ways to lose crypto. Maybe you have a wallet on a hard drive that you throw away. Your exchange can be hacked. You may lose your password, or you may be personally hacked and your coins stolen. For those who lose their password, as I did, hackers actually present a silver lining. If you still have control over your wallet, you can try hacking your own wallet, or find someone who will.
So I contacted Dave Bitcoin, an anonymous hacker known for cracking crypto wallets. He agreed to help break into the wallet, at his standard rate of 20 percent — paid only if he is successful. Dave and other hackers usually use brute force techniques. In fact, they only recommend passwords – a lot of them.
You can also try hacking your own wallet with apps like Pywallet or Jack the Ripper. But I didn’t want to do it myself, so I sent Dave a list of password possibilities and he got to work.
After waiting for a while I got an email from Dave. “I’ve tried over 100 billion passwords on your wallet,” Dave told me over email. I assumed such a mind-boggling number of attempts meant my coins had definitely been recovered, but unfortunately we had only scratched the surface. The password was not hacked and my coins were lost. But how?
The math behind strong passwords
Each new digit in a password makes it exponentially harder to crack. Consider a one-digit password that can be a letter or a number. If the password is case sensitive, there will be 52 letters plus 10 numbers. Not very safe. You can easily guess the password by trying it 62 times. (A, a, B, b, C, c… and so on).
Now make it a two-digit password. It doesn’t get twice as hard to guess – it gets 62 times harder to guess. There are now 3884 possible passwords to guess (AA, Aa, AB, etc.) A six-digit password with the same rules has about 56 billion possible permutations, assuming we don’t use any special characters. A 20-character password with those rules has permutations of 62 to the power of 20: that is, 704,423,425,546,998,022,968,330,264,616,370,176 possible passwords. That makes 100 billion pretty small by comparison.
This math was bad news for me, as I’m pretty sure I had some kind of long password, like a few lines of a song lyrics. Talk about facing the music.
Password Best Practices
Whether it’s for your email or crypto wallet, how can you balance creating a strong password that’s also easy to remember?
“Choosing passwords is tricky,” says Dave, “If you go out of your way to create an unusual password for your wallet that you wouldn’t normally use, it becomes pretty hard for you to remember and for me to to assist. It’s easier to guess your password if you use consistent patterns. Of course, this is bad for security, and someone trying to hack into your accounts will have an easier time. Balancing security and memorability is ultimately a difficult task that depends on the needs and preferences of the individual.