In 2014, I bought 25,000 dogecoin as a joke. By 2021, it was briefly worth over $17,000. Problem was, I couldn’t remember the password. Determined to get my coins back, I embarked on a journey that exposed me to online hackers, the mathematics behind passwords, and a lot of frustration.
Although most people don’t have thousands in forgotten cryptocurrency, everyone relies on passwords to manage their digital lives. And as more and more people buy crypto, how can they protect their assets? We talked to a host of experts to figure out how to create the best passwords for your digital accounts, and, if you have crypto, what your basic storage tradeoffs are. Let’s dive in.
How to Hack Your Own Crypto Wallet
There are a few common ways to lose crypto. You might have a wallet on a hard drive you throw away. Your exchange could get hacked. You might lose your password, or you might get personally hacked and have your coins stolen. For those who lose their password, as I did, hackers actually present a silver lining. If you still control your wallet, you can try to hack your own wallet—or find someone who will.
So I contacted Dave Bitcoin, an anonymous hacker famous for cracking crypto wallets. He agreed to help break into the wallet, for his standard 20 percent fee—paid only if he is successful. Dave and other hackers are mostly using brute force techniques. Basically, they’re just guessing passwords—a lot of them.
After a little waiting, I received an email from Dave. “I tried over 100 billion passwords on your wallet,” Dave told me over email. I assumed such a mind-boggling amount of tries meant my coins were surely recovered, but alas, we had only scratched the surface. The password was not hacked, and my coins remained lost. But how?
The Math Behind Strong Passwords
Each new digit in a password makes it exponentially harder to crack. Consider a one-digit password that could be a letter or a number. If the password is case-sensitive, there are 52 letters plus 10 numerals. Not very secure. You could simply guess the password by trying 62 times. (A, a, B, b, C, c … and so on).
Now make it a two-digit password. It doesn’t get twice as hard to guess—it gets 62 times harder to guess. There are now 3884 possible passwords to guess (AA, Aa, AB, etc.) A six-digit password with the same rules has around 56 billion possible permutations, assuming we don’t use special characters. A 20-character password with those rules has 62-to-the-20th-power permutations: that is, 704,423,425,546,998,022,968,330,264,616,370,176 possible passwords. That makes 100 billion look pretty small in comparison.
This math was bad news for me, since I’m pretty sure I had some sort of long password, like a few lines of a song lyric. Talk about facing the music.
Password Best Practices
Whether it’s for your email or crypto wallet, how can you balance creating a strong password that’s also memorable?
“Choosing passwords is tricky,” says Dave, “If you go out of your way to create an unusual password for your wallet that you wouldn’t typically use, then it makes it quite difficult for you to remember and for me to help. It’s easier to guess your password if you use consistent patterns. Of course, this is bad for security, and someone who is trying to hack your accounts will have an easier time.” Balancing security with memorability is ultimately a tough task that will depend on the individual’s needs and preferences.
Most PopularThe End of Airbnb in New YorkBusiness
“All I can really suggest is to either record all your passwords on paper (and take the risk that it will be found), or use a password manager,” Dave says. Ironically, the digital age is now making pen and paper a preferred security method. Russia’s state security agency supposedly reverted to typewriters after the Snowden leaks.
Are Coins on Crypto Exchanges Safe?
Losing my password made me a pretty big fan of storing crypto on exchanges. After all, if you forget your Coinbase password, the process is simple. You reset your password, and likely submit identification to verify that you own the account. On the surface, storing on big exchanges seems pretty secure. Coinbase says they keep “over 98 percent of deposits offline in secure cold storage facilities” in addition to having an “extensive insurance policy.” Thus, it should be difficult or impossible for cybercriminals to access most of the crypto Coinbase controls. Gemini, another popular US-based exchange, prides itself on its seemingly extensive security measures. At the same time, if your exchange suffers a major hack or goes bankrupt, it could take years to recover your crypto, if you get it back at all. That’s why many analysts recommend users maintain control over their coins.
“Cyberattackers are more likely to attempt to breach a major cryptocurrency exchange with billions in custody rather than the wallet of an individual with a few hundred dollars worth of funds,” notes Thomas Glucksmann, an independent cyber risk analyst based in Tokyo who previously worked at several cryptocurrency and blockchain companies. If users do store on exchanges, they may want to consider the security culture of the country their exchange is located in. “Generally speaking, the US and UK have very strong cybersecurity standards due to rotating talent between academia, the military, intelligence services, and the private sector.” While he did not recommend a specific storage option, Glucksmann noted that “popular hardware wallet providers for individuals include Ledger, Trezor, and KeepKey."
Dave recommends people choose a wallet that uses bip44 recovery phrases, which allow you to recover your crypto with 12 or 24-word recovery phrases. “Make multiple copies of the words, don’t try to be tricky and obfuscate them in some way that you’ll forget, then store the copies in different locations, in places where they won’t be disturbed, damaged, or thrown out.”
You Can Be Your Own Bank. But Should You?
The complications of transferring to a hardware wallet mean that many investors don’t transfer their funds immediately. Upon receiving advice from a friend who’d lost coins in the 2014 Mt. Gox hack, Lindsey A, a cryptocurrency investor in Virginia who asked to remain anonymous because of security concerns, purchased a ledger nano wallet, but hasn’t yet moved her coins off-exchange. She worries that the crypto market suffers from a lack of “rigorous safety or legal standards” but remains invested because “that’s part of the budding environment of cryptocurrency right now,” she says.
These security concerns also seem to be holding back the broader crypto market. “Given their digital nature, the funds feel very vulnerable to attacks, which is why I’ve kept the investments lower than traditional stocks,” says James Bland, director at the University of Virginia’s Center for Diversity in Engineering who also stores coins on-exchange. “Stocks still seem more viable than crypto,” continues Bland, who noted that many Black investors he knows are concerned with the recent fall in price. Still, he has optimism that crypto may recover in the long term, and notes, “I am keeping my current investments and leaning into the principle of buying during the dip when I can.”
Most PopularThe End of Airbnb in New YorkBusiness
If you set up your own wallet, you have total control over your funds—for better or worse. “You are your bank. There is no one in between you and your funds, but this comes at a risk. There isn’t anyone that can bail you out when you lose your access,” says Brett Haralson, a bitcoin investor in Miami. Even tech-savvy organizations can lose large sums of money. WIRED itself lost 13 bitcoin several years ago. The ease of losing such large amounts of money speaks to the nascent and double-edged nature of cryptocurrencies. Huge unexpected gains are possible, but losing access to the coins is far from difficult, even for tech-savvy individuals or organizations.
Turning Negatives Into Positives
So how should I feel about accidentally making (and losing) perhaps the most incredible investment of my life? And how does anyone cope with such a loss? Christian Busch, a professor at New York University and author of The Serendipity Mindset, suggested keeping my chin up. “People who consider themselves ‘lucky’ are more prone to frame unforeseen circumstances as happy coincidences, while those who consider themselves ‘unlucky’ people frame them as what could have been better. This becomes either a vicious or virtuous cycle,” he explains.
Besides, I should be glad I had the foresight to invest in crypto early, even if it didn’t work out. “Unexpected good luck—serendipity—often doesn’t merely happen by chance,” he argues. While I might have lost the dogecoin this time, that adventurous spirit was valuable. “Keeping the capacity to invest in these unexpectedly emerging, promising bets without putting the whole portfolio at risk is key.”
So many decisions in life boil down to one question: What risks are you willing to accept? There is no totally foolproof way to store any asset, let alone crypto. Hardware wallets can be lost, exchanges can be hacked, and passwords can be forgotten. Your investments can be lucky—or unlucky. Ultimately, you need to decide which risks you’re willing to take. As for me, I’ll look on the bright side, and keep trying to remember that password.