Skip To Main Content
Photoillustration of a wallet trapped inside a box with a chain and lock
World
Technology

What happens when a Bitcoin wallet password is forgotten

Experts reveal the hacking power required to crack digital wallets and how cryptocurrency investors can keep access to their tokens secure

Photo-illustration of a wallet trapped inside a box with a chain and lockMillions of dollars are lost in locked Bitcoin wallets due to forgotten passwords

Imagine having millions of dollars in Bitcoin but not being able to access it.  This is the reality for a growing number of people who have been locked out of their digital wallets because they have forgotten their passwords. The toll? An estimated US$140 million hidden away in locked wallets. And since Bitcoin is a decentralized currency, there is no one to call when you forget your wallet access code. So is there anything that can be done? 

CRACKING THE PASSWORD

Ben Carmitchel, CEO of Datarecovery.com Inc., one of the world’s first data recovery firms, says his company used to receive about one request per month to unlock Bitcoin wallets. Now, it fields one or two calls a day. As the value of Bitcoin increases, now rising above $70,000 per token, so has the number of people trying to access coins they bought years ago. And because the technology is so protected, he says, it is common to forget your password.

“People think they will remember what they created,” he says. “Then, 10 years later, they don’t.”

It costs $500 per day in computing power to crack a single password, says Carmitchel, adding that Datarecovery.com uses a variety of hacking techniques to retrieve lost keys. If a client has numerous forgotten passwords, paying for the recovery process can become expensive. 

Passwords can be either created by the owner or computer-generated. And not surprisingly, there is a greater chance of unlocking the human-generated variety, says Carmitchel. He’ll start the process by asking the client for as much information as possible in order to look for patterns: for example, the client might tend to use a capital letter or certain symbol when they create passwords. “It seems simple … but it eliminates millions and millions of combinations,” he says. It took Carmitchel one week to crack a key created with leet speak, where a symbol is used in place of a letter, finally breaking the code with a method known as dictionary matching, where all occurrences of any pattern must be found against a given dictionary.

If the password is computer-generated, such as with mnemonic generation BIP 39, which automatically creates a 22-word password, Carmitchel says the odds of putting those words together in the right order are “astronomical.” Datarecovery.com cracks about 80 per cent of requests it gets, he says. But that leaves 20 per cent of passwords that are non-recoverable, even with a brute force attack, a method that relies on guessing possible combinations of a targeted password until the correct password is discovered. This is the most aggressive form of hacking.

RELYING ON THIRD-PARTY PROVIDERS

Blockchain technology is so new that we are still trying to understand it, says CPA Jennifer Fiddian-Green, partner with Grant Thornton LLP, who leads the firm’s national forensic and dispute resolution advisory and anti-money laundering services practices. “The real strength of blockchain technology is that it’s so secure,” she says. “You can’t just say, ‘I’ll call the bank and prove who I am and get my money.’ ”

With this level of security and risk, Fiddian-Green says people are turning to third-party providers, such as cryptocurrency exchanges, to store their wallets online for them. However, these third parties are just emerging and the new industry does not yet offer the same type of protection as traditional banking does. In 2020, at least 75 cryptocurrency exchanges shuttered and people lost access to their cryptocurrency.

“We don’t let that happen in banking very easily. We have a lot of protection and regulation,” says Fiddian-Green, who works with these exchanges in Canada and internationally to secure and build systems that ensure transparency and better protection for their customers.

Security breaches are another potential issue, adds CPA Michael Wong, principal, research, guidance and support at CPA Canada. “With these third-party exchanges, customers are entrusting them with the private keys to their Bitcoin wallets,” he says. “Malicious actors can exploit vulnerabilities in the exchange’s computer systems to breach firewalls and other security measures to gain illegal access to customers’ bitcoins held by the exchange.” 

While they offer a convenient way to trade cryptocurrency, Wong’s approach for storing Bitcoin safely is to keep the private key for your digital wallet offline. One of the safest ways to do this is to utilize a hardware wallet. Other offline options include storing your private key on a USB that is disconnected from the internet or writing it on a piece of paper. 

“With these methods, the only way your Bitcoins can be accessed is by having physical access to that private key,” he says.

FUTURE SECURITY

The good news is that as technology progresses, we may have the ability to recover these forgotten passwords by cracking the encryption, says Wong.  

“With quantum computing, the computing power is exponential,” he says of the anticipated technology. “Whereas it might take a current computer millions of years to crack  today’s encryption, a quantum computer can potentially do so in a day.” The exact scale may vary, says Wong, but experts agree it will be far superior to any existing classical computer. “It will change the paradigm of cryptography in general,” he says, “which will impact the blockchain and anything that uses encryption.” But not to worry, adds Wong, research is being done on post-quantum cryptography techniques that will secure our data (including Bitcoins) against quantum computers as well. 

Whether you choose to manage your password through a password manager, print and store it in a safe or protect it via a third party, he reminds users to be responsible. “Treat it like you would treat any other password for financial assets and be careful with it,” says Wong. “Don’t leave it around … but make sure that you always have access to it.”  

THE FUTURE OF CRYPTO AND ACCOUNTING  

Blockchain and crypto-assets may impact CPAs and their future roles. And CPA Canada’s publications can help you better understand financial reporting around cryptocurrency and some of the challenges organizations may face before moving into the digital asset market.