In a bizarre new case, two security researchers have managed to crack a password that was lost for over 11 years, recovering bitcoins worth $3 million.

The owner of the wallet, Michael, shared the incident in a video and said: “I generated the password, I copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted.”

However, he lost the passcode when the encrypted part of his computer that contained the password became corrupted. And since it was a random password generated by RoboForm’s password generator, there was no way he could recall it.

At the time, the lost bitcoin was only worth a couple of thousand euros, so he let it go with a heavy heart. However, this incident dates back to 2013 and a lot has changed since then. The value of the same bitcoins rose by 20,000 percent, making him reach out to security researchers to help recover the money.

He reached out to Electrical engineer Joe Grand (also known as Kingpin) who initially refused the job but agreed after he was able to come up with a novel method to hack the initial password generator.

Michael now retains about $2 million worth of Bitcoins which he plans to hold on to until each token is worth $100,000.

Grand teamed up with his colleague Bruno and used a reverse engineering tool developed by the US National Security Agency (NSA) and disassembled the password generator’s code to get the password.

After the job was done, a portion of that Bitcoin went to Grand and Bruno, and another small part of it was sold off.

Talking about the incident, he also added that in a way he is grateful he lost his password. Otherwise, he might not have held onto these tokens for this long.

While this incident was a win for Michael, it also sheds light on how vulnerable RoboForm’s password generator is. Ideally, it’s supposed to create a new and unique password every single time, but apparently, that’s not the case.

While cracking this password, Grand learned that if you can control the time, you can control the password it creates. In simple terms, if they can make the generator feel it’s still 2013, it will create the same password. So that’s what they did.

Since they didn’t know the exact time when the password was created, the duo generated millions of passwords around that time period and were eventually able to crack it.

It’s important to note that this vulnerability has been fixed now. So any password that was created after 2015 using RoboForm’s password generator cannot be hacked with this time-based approach.

