Encrypted wallet.dat, lost password, any solutions? - page 30.

Revalin

hero member

Activity: 728

Merit: 500

165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g

Here's an updated version which will try double substitutions. This is a large keyspace and will take a long time - figure about a month for a 30 character password at 10 guesses per second. Beyond there you'll have to use either riX's approach where you assume that fumbles will be to adjacent keys, or employ a GPU for more brute force.

Code:

#!/usr/bin/ruby -w

passphrase = "oops"

def test(phrase)
  print phrase, "\t"
  system("./bitcoind", "walletpassphrase", phrase, "20")
  case $?.exitstatus
  when 0
    puts "Found it!  #{phrase}"
    exit 0
  when 127
    puts "bitcoind not found in current dir"
    exit 1
  end
end

def scramble(passphrase)
  characters = " !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
  list = []

  # transpose adjacent chars
  (passphrase.length - 1).times do |i|
    testphrase = passphrase.dup
    testphrase[i] = passphrase[i+1]
    testphrase[i+1] = passphrase[i]
    list << testphrase
  end

  # delete one char
  passphrase.length.times do |i|
    testphrase = passphrase.dup
    testphrase = testphrase[0,i] + testphrase[(i+1)..-1]
    list << testphrase
  end

  # substitutute one char
  passphrase.length.times do |i|
    characters.chars.each do |c|
      testphrase = passphrase.dup
      testphrase[i] = c
      list << testphrase
    end
  end

  # insert one char
  (passphrase.length + 1).times do |i|
    characters.chars.each do |c|
      testphrase = passphrase.dup
      testphrase.insert(i, c)
      list << testphrase
    end
  end

  return list.uniq
end

list1 = scramble(passphrase)
list1.each { |i| test i }
list1.each { |i| scramble(i).each { |j| test j }}

puts "No luck."
exit 1

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Less than a year ago:

Quote

So why didn't we encrypt it up the wazoo and require that you type six passwords to unlock it? Well, two major reasons:

First, losing your wallet or forgetting your password is (arguably) as big a threat as theft. There is a reason every online service has some 'recover/reset lost password' feature.

- http://gavinthink.blogspot.com/2011/06/why-arent-bitcoin-wallets-encrypted.html

Revalin

hero member

Activity: 728

Merit: 500

165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g

Here, I whipped up something quick and dirty. Just fill in your passphrase as close as you can remember, and make sure bitcoind is in the current dir. It should print lots of "The wallet passphrase entered was incorrect" if it's working.

Code:

#!/usr/bin/ruby -w

passphrase = "oops"
characters = " !\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"

def test(phrase)
  print phrase, "\t"
  system("./bitcoind", "walletpassphrase", phrase, "20")
  case $?.exitstatus
  when 0
    puts "Found it!  #{phrase}"
    exit 0
  when 127
    puts "bitcoind not found in current dir"
    exit 1
  end
end

# transpose adjacent chars
(passphrase.length - 1).times do |i|
  testphrase = passphrase.dup
  testphrase[i] = passphrase[i+1]
  testphrase[i+1] = passphrase[i]
  test testphrase
end

# delete one char
passphrase.length.times do |i|
  testphrase = passphrase.dup
  testphrase = testphrase[0,i] + testphrase[(i+1)..-1]
  test testphrase
end

# substitutute one char
passphrase.length.times do |i|
  characters.chars.each do |c|
    testphrase = passphrase.dup
    testphrase[i] = c
    test testphrase
  end
end

# insert one char
(passphrase.length + 1).times do |i|
  characters.chars.each do |c|
    testphrase = passphrase.dup
    testphrase.insert(i, c)
    test testphrase
  end
end


puts "No luck."
exit 1

Good luck!

edit: This also requires a running bitcoind.
1. set "rpcpassword=somerandomcrap" in .bitcoin/bitcoin.conf
2. run "./bitcoind -daemon"
3. run "./bitcoind getinfo" until it starts returning data instead of errors
4. then run the script above.

riX

sr. member

Activity: 326

Merit: 254

I did the same thing two weeks ago, mistyped my 30-char pwd twice, although that was on a 7-zip archive.
I made a script that tried all combinations of the keyboard keys surrounding the ones that should be correct, and also upper/lower case combinations for the characters that were adjacent to those that were supposed to be capitals.
Found the password in about 3 secs...

I have the script, but it's for 7-zip, but it's not hard to fix..

ez1btc

newbie

Activity: 14

Merit: 0

Much gratitude for all the help. If I can free my BTC I will pay a lot of you

I have spent several hours trying figure out my password mistake. Many hours feeling like a complete fool, in fact. Looking for a brute force script that I can guide in the right direction using the nearly-correct password which I remember.

Any script authors or white hats interested in making a hundred BTC or so, send me a message.

Thanks!

TangibleCryptography

sr. member

Activity: 476

Merit: 250

Tangible Cryptography LLC

Quote from: Etlase2 on June 04, 2012, 10:51:21 PM

Quote from: Revalin on June 04, 2012, 10:41:23 PM

The encrypted wallet format only encrypts the seckeys, nothing else.

That's strange. From the standpoint of privacy, shouldn't the pubkeys be encrypted as well?

That would require user's password to be entered and wallet kept unlock for any action. Mining for example would require keeping the wallet unlocked continuously and subject to theft. Checking your balance, verifying a tx cleared, checking # of confirmations would all require the password.

By only encrypting the private keys funds can be kept secure and the password is only needed to either send funds or sign a message.

Revalin

hero member

Activity: 728

Merit: 500

165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g

Keeping the pubkeys in plaintext encourages people to do their daily read-only operations (verifying received coins) without having to keep the decrypted private keys or password in memory.

The point of encryption is to prevent stolen coins, not to protect your identity. If you want identity protection use a separate whole-file encryption system such as GPG or TrueCrypt.

Etlase2

hero member

Activity: 798

Merit: 1000

Quote from: Revalin on June 04, 2012, 10:41:23 PM

The encrypted wallet format only encrypts the seckeys, nothing else.

That's strange. From the standpoint of privacy, shouldn't the pubkeys be encrypted as well?

Revalin

hero member

Activity: 728

Merit: 500

165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g

The encrypted wallet format only encrypts the seckeys, nothing else.

You can dump them with bitcointools: https://github.com/gavinandresen/bitcointools

ez1btc: to export the full encrypted seckeys, just make this change to wallet.py:

Code:

diff --git a/wallet.py b/wallet.py
index a41d3a6..9eae0ad 100644
--- a/wallet.py
+++ b/wallet.py
@@ -224,7 +224,7 @@ def dump_wallet(db_env, print_wallet, print_wallet_transactions, transaction_fil
       print(" Created: "+time.ctime(d['created'])+" Expires: "+time.ctime(d['expires'])+" Comment: "+d['comment'])
     elif type == "ckey":
       print("PubKey "+ short_hex(d['public_key']) + " " + public_key_to_bc_address(d['public_key']) +
-            ": Encrypted PriKey "+ short_hex(d['crypted_key']))
+            ": Encrypted PriKey "+ long_hex(d['crypted_key']))
     elif type == "mkey":
       print("Master Key %d"%(d['nID']) + ": 0x"+ short_hex(d['crypted_key']) +
             ", Salt: 0x"+ short_hex(d['salt']) +

Then run "./dbdump.py --wallet | grep PriKey". That will give you the full list, and you can pick which one you want to share.

FreeMoney

legendary

Activity: 1246

Merit: 1016

Strength in numbers

Oh, I keep imagining a plain encrypted file. If all the parts are in place and just the keys are encrypted then I think it makes sense to just pull one. Is the key pool encrypted? Is it easy to tell which are in the key pool? Pull one (for each cracker?) from the key pool and have a contest?

Etlase2

hero member

Activity: 798

Merit: 1000

Quote from: Revalin on June 04, 2012, 09:48:19 PM

Rather than giving your whole wallet over to someone, just extract one keypair, preferably one for an address with 0 balance. They can then crack it, but won't have access to all of your funds when they succeed.

Are the public keys unencrypted? Huh

Otherwise it would be difficult to find an address with a 0 balance I would think.

Revalin

hero member

Activity: 728

Merit: 500

165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g

Rather than giving your whole wallet over to someone, just extract one keypair, preferably one for an address with 0 balance. They can then crack it, but won't have access to all of your funds when they succeed.

FreeMoney

legendary

Activity: 1246

Merit: 1016

Strength in numbers

Quote from: etotheipi on June 04, 2012, 09:30:23 PM

Quote from: ?? on ??

Quote from: etotheipi on June 04, 2012, 09:13:58 PM

Quote from: FreeMoney on June 04, 2012, 09:05:18 PM

Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?

"Commutative encryption" does exist, but wallet encryption uses AES which is not. And even if it did, I'm not sure there would be a way for the cracker to know when he's found the correct passphrase.

This may be a way to improve the encrypted wallet format. Passphrase to key function -> key. Then have the client encrypt separately a "test string" and the wallet.

This would allow brute force recovery in a secure manner. The person could just give only the encrypted test string (which given the right key should decrypt to a known value (something like "Bitcoin Wallet format v1.2") to recovery team.

It wouldn't simplify the attacker's job but it would allow forgotten/incorrect passwords to be recovered in a manner that doesn't require the owner to trust a third party.

+1

That's such a good idea I'm going to make it part of my new wallet format in Armory. This kind of thing happens infrequently, but enough.

Although, Armory has the advantage that you usually have a paper backup which is unencrypted. When you forget your passphrase, you only need to restore your wallet from the sheet of paper.

Nice idea Tangible.

koin

legendary

Activity: 873

Merit: 1000

this is probably being too paranoid, but ... plan on choosing only one person to attempt to figure out how your passphrase is failed. what if you have one person try to figure it out but claims to have failed. and then a second person gives it a try and also claims to have failed, or is still working on it. but then the bitcoins get spent. which party do you point blame?

game theory would probably have an answer for that but if there is only one party (or at least that person does not know there are any other parties trying the same thing) then chances are less likely that you'll get cheated.

payb.tc

hero member

Activity: 812

Merit: 1000

Quote from: ?? on ??

Quote from: etotheipi on June 04, 2012, 09:13:58 PM

Quote from: FreeMoney on June 04, 2012, 09:05:18 PM

Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?

"Commutative encryption" does exist, but wallet encryption uses AES which is not. And even if it did, I'm not sure there would be a way for the cracker to know when he's found the correct passphrase.

This may be a way to improve the encrypted wallet format. Passphrase to key function -> key. Then have the client encrypt separately a "test string" and the wallet.

This would allow brute force recovery in a secure manner. The person could just give only the encrypted test string (which given the right key should decrypt to a known value (something like "Bitcoin Wallet format v1.2") to recovery team.

It wouldn't simplify the attacker's job but it would allow forgotten/incorrect passwords to be recovered in a manner that doesn't require the owner to trust a third party.

that would be awesome... you could then distribute it to potentially thousands, millions of 'lost pass' solvers who are paid bounties for the keys they find.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: ?? on ??

Quote from: etotheipi on June 04, 2012, 09:13:58 PM

Quote from: FreeMoney on June 04, 2012, 09:05:18 PM

Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?

"Commutative encryption" does exist, but wallet encryption uses AES which is not. And even if it did, I'm not sure there would be a way for the cracker to know when he's found the correct passphrase.

This may be a way to improve the encrypted wallet format. Passphrase to key function -> key. Then have the client encrypt separately a "test string" and the wallet.

This would allow brute force recovery in a secure manner. The person could just give only the encrypted test string (which given the right key should decrypt to a known value (something like "Bitcoin Wallet format v1.2") to recovery team.

It wouldn't simplify the attacker's job but it would allow forgotten/incorrect passwords to be recovered in a manner that doesn't require the owner to trust a third party.

+1

That's such a good idea I'm going to make it part of my new wallet format in Armory. This kind of thing happens infrequently, but enough.

Although, Armory has the advantage that you usually have a paper backup which is unencrypted. When you forget your passphrase, you only need to restore your wallet from the sheet of paper.

payb.tc

hero member

Activity: 812

Merit: 1000

Quote from: ez1btc on June 04, 2012, 08:38:34 PM

the password is quite memorable, which is why im surprised i misrecorded it- it is very long but a unique phrase and i must have misentered it twice while confirming it as my password.

have you tried hunter2?

seriously though, this might help: sometimes the above happens to me when i use a keyboard with a bad right-hand shift key, causing all the $ in my passphrases to come out as 4's every time i type it.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: FreeMoney on June 04, 2012, 09:05:18 PM

Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?

"Commutative encryption" does exist, but wallet encryption uses AES which is not. And even if it did, I'm not sure there would be a way for the cracker to know when he's found the correct passphrase.

rudrigorc2

legendary

Activity: 1064

Merit: 1000

if it really was you who put the password the best piece of hardware you can use right now is your brain

relax and try to recreate the whole scenario, time, place, mindset of when you were leaning on the bitcoin client, then put your hands on the keyboard, focus and start trying

hopefully the password will emerge

source: my own experience, I have set up a password on a 50 btc worth wallet. This is how it happened:

It was late night in a hostel, the only computer avaiable, not only a public a PC but I had to use standing up, and, to increase the anxiety level, I was drinking beer. Put the password and shutdown the PC. Then I left the place I was for three days, here is where I needed the password and: WTF?! Wrong password! Don't panic. At this time the password only existed on my brain, then just said to myself I was going to remeber. I did exactly as I told you above. Took me one day to go back to the place I had set up the password. And two more days acting like "12:01" movie to finally extract it from my mind. The pass was a 12 chars long phrase.

Hope this inspires you. Cheesy

memvola

hero member

Activity: 938

Merit: 1002

Quote from: FreeMoney on June 04, 2012, 09:05:18 PM

Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?

I guess you could just send the encrypted master key?

Topic: Encrypted wallet.dat, lost password, any solutions? - page 30. (Read 213600 times)