Submitted via IRC for SoyCow2718
Phil Dougherty has a side hustle as a friendly hacker. By day, he's a software developer at the University of Wisconsin, building free educational games and conducting research on the ways people play them. Meanwhile, back at home, Dougherty is the shepherd of a program that's constantly running down ways to break into other people's cryptocurrency wallets.
Dougherty works with folks who have lost, forgotten or incorrectly written down their Ethereum passwords, locking themselves out of their wallets and forfeiting the digital cash that's lurking within. These people are, essentially, shit out of luck. There's no customer support hotline for Ethereum, no security questions to answer, no "Forgot password?" link.
[...] Dougherty got his start in cryptocurrency cracking in 2017, after reading a Reddit post from someone who wanted to brute force their way into their own Ethereum wallet. The Redditor remembered part of their password and generally what it looked like, handing Dougherty a puzzle perfectly suited to his interpersonal coding skills. He and five other programmers ended up racing to crack this user's password. Dougherty won.
"I successfully unlocked that guy's password, and then straight from that post I started getting, 'Well wait, hey, could you try to help me with that?'" Dougherty said. "Things organically grew from there."
Source: https://www.engadget.com/2019/09/13/forgot-password-ethereum-cryptocurrency-lost-expandpass/
(Score: 2) by looorg on Wednesday September 18 2019, @12:27PM
Was wondering that to. From the article it seems he is just running a, somewhat curated form of, dictionary attack from one computer. So the only thing separating him from the crocks that go out looking for weak (or having selected a bad) password for their wallets is that people ask him to do it and hope that he is later honest about it -- anyone with a million bucks or so in their wallet willing to test him and his service out?
Still isn't it a bit of a weakness in the wallet system if you accept unlimited password guesses? I guess it's hard to get around thou, perhaps some kind of blockchain solution could be found ...