In 2014, I bought 25,000 dogecoin as a joke. By 2021, it was briefly worth over $17,000. Problem was, I couldn’t remember the password. Determined to get my coins back, I embarked on a journey that exposed me to online hackers, the mathematics behind passwords, and a lot of frustration.
Although most people don’t have thousands in forgotten cryptocurrency, everyone relies on passwords to manage their digital lives. And as more and more people buy crypto, how can they protect their assets? We talked to a host of experts to figure out how to create the best passwords for your digital accounts, and, if you have crypto, what your basic storage tradeoffs are. Let’s dive in.
How to Hack Your Own Crypto Wallet
There are a few common ways to lose crypto. You might have a wallet on a hard drive you throw away. Your exchange could get hacked. You might lose your password, or you might get personally hacked and have your coins stolen. For those who lose their password, as I did, hackers actually present a silver lining. If you still control your wallet, you can try to hack your own wallet—or find someone who will.
So I contacted Dave Bitcoin, an anonymous hacker famous for cracking crypto wallets. He agreed to help break into the wallet, for his standard 20 percent fee—paid only if he is successful. Dave and other hackers are mostly using brute force techniques. Basically, they’re just guessing passwords—a lot of them.
You can also try to hack your own wallet with apps like Pywallet or Jack the Ripper. But I didn’t want to do it myself, so I sent Dave a list of password possibilities and he got started.
After a little waiting, I received an email from Dave. “I tried over 100 billion passwords on your wallet,” Dave told me over email. I assumed such a mind-boggling amount of tries meant my coins were surely recovered, but alas, we had only scratched the surface. The password was not hacked, and my coins remained lost. But how?
The Math Behind Strong Passwords
Each new digit in a password makes it exponentially harder to crack. Consider a one-digit password that could be a letter or a number. If the password is case-sensitive, there are 52 letters plus 10 numerals. Not very secure. You could simply guess the password by trying 62 times. (A, a, B, b, C, c … and so on).
Now make it a two-digit password. It doesn’t get twice as hard to guess—it gets 62 times harder to guess. There are now 3884 possible passwords to guess (AA, Aa, AB, etc.) A six-digit password with the same rules has around 56 billion possible permutations, assuming we don’t use special characters. A 20-character password with those rules has 62-to-the-20th-power permutations: that is, 704,423,425,546,998,022,968,330,264,616,370,176 possible passwords. That makes 100 billion look pretty small in comparison.
This math was bad news for me, since I’m pretty sure I had some sort of long password, like a few lines of a song lyric. Talk about facing the music.
Password Best Practices
Whether it’s for your email or crypto wallet, how can you balance creating a strong password that’s also memorable?
“Choosing passwords is tricky,” says Dave, “If you go out of your way to create an unusual password for your wallet that you wouldn’t typically use, then it makes it quite difficult for you to remember and for me to help. It’s easier to guess your password if you use consistent patterns. Of course, this is bad for security, and someone who is trying to hack your accounts will have an easier time.” Balancing security with memorability is ultimately a tough task that will depend on the individual’s needs and preferences.