"Wrong Password" Issues

[wolovim]

Description

For many people, creating an Ethereum wallet is the first time they'll be creating an "account" with no password recovery service. Mist and Ethereum Wallet have consistently had issues filed related to users being locked out of accounts. In the Mist UI, this is visible via a "Wrong Password" error notification when attempting to use a given wallet.

Fortunately, many of these issues are resolved by users remembering they had used a different password, or discovering they made a typo in their password, sometimes with the help of a brute force password recovery tool, like pyethrecover.

Unfortunately, still many reports exist with users certain of their password and unable to unlock their wallets. Many of these reports insist that the incident is the result of a bug in the application and we take those claims very seriously. Each of these issues reported have their own nuances as to how they occurred, e.g. moving wallets to another machine, wallet creation during onboarding, specific language keyboards, use of special characters, during Mist version upgrades, and so on. Every one is researched and tried to reproduce.

If you're in this situation, we know you're in a very stressful position and we haven't abandoned you. We do, however, need your help. If a bug exists, our team has been unable to reproduce it yet. If you are able to, it would be of tremendous help to us if you would share the precise steps you took and your relevant system specs (OS, keyboard language, app version number, geth version number).

Specific example links:

• special character usage: https://github.com/ethereum/mist/issues/3176#issuecomment-349403728

• solved by downgrading Mist version: https://github.com/ethereum/mist/issues/2411#issuecomment-353166968

• keystore folder clear resulting in new wallets created: https://github.com/ethereum/mist/issues/3426

• pw works on first but not subsequent wallets:

  • https://github.com/ethereum/mist/issues/2411#issuecomment-355082708
  • https://github.com/ethereum/mist/issues/2411#issuecomment-333281951
  • https://github.com/ethereum/mist/issues/2411#issuecomment-354410512

• norweigan keyboard use: https://github.com/ethereum/mist/issues/2411#issuecomment-354862699

  • electron international keyboard issue: https://github.com/electron/electron/issues/5649

• success with pyethrecover: https://github.com/ethereum/mist/issues/3176#issuecomment-347361860

Related issues:

• https://github.com/ethereum/mist/issues/2411
• https://github.com/ethereum/mist/issues/3176
• https://github.com/ethereum/mist/issues/3244
• https://github.com/ethereum/mist/issues/664

NOTE: please keep this issue substantive and don't comment to say "I'm having this problem too." Use your emojis instead, please :smile:

[7iain7]

OK try this put password in then hit the space bar once and try.

[p0mmi3]

Didn't work, just to be extra sure, Ill just add the hex to my ethcracker and see how many more variations I receive.

However I'm really impressed by 35billion combinations using hashcat in a day, @anormore , can you increase that if you ran it over a few gpu's? I have about 120 RX 580's, I don't mind taking them off their usual task for a day or two just to crack this already!

[anormore]

@pavneet09 Hashcat is vastly superior to Ethcracker, but Ethcracker is less complicated. I'm not sure if you can parallel the application, but there is device selection -- so maybe? Head to hashcat to see.

[anormore]

We really need some one here to crack a password, and let us know if we're all crazy tin foil hatters -- or infact there was something complex and buggy... :/

[anormore]

@evertonfraga How can I generate a fresh presale wallet? Even if it doesn't sync to the blockchain? I'd like to just verify my input/output models...

[alxlv]

I have been using hashcat for month but still without success. I started to crack from 6 letters password (digits, alphas and special characters), do not know how many letters it has because I did not set it. It's possible to run hashcat with using CPU, GPU or both. For example speed on my AMD Ryzen 1700x CPU is 20 h/sec. Here is my command string (windows 10):

hashcat64 -m15700 -a 3 -D 1 --self-test-disable --session brute_force *$ethereum$s*n*r*p*salt*ciphertext*mac* --status --status-timer=5 -w 3 a?a?a?a?a?a

Overview:

https://stealthsploit.com/2017/06/12/ethereum-wallet-cracking/

The speed calculation:

https://stealthsploit.com/2018/01/04/ethereum-wallet-cracking-pt-2-gpu-vs-cpu/

Shortly, you need a lot of computer power to crack without any information about password. Sad.

[TGM]

Using hashcat is really not the answer here and just a possible solution. The real approach is to run a debug on one of the existing clients that reported this problem.

Unfortunately I don't posses the skills to do that. Whoever posses them, please post a step by step tutorial an how to do it and post useful feedback.

[r3lax3d]

@TGM I totaly agree with that. We need HELP from a DEV that can show us the debug methods and has knowledge of the password and encrypt code. And process flow. Why hiding ? Is this the way Opensource communties work/communicate ? I hope not.

[alxlv]

Guys, I know hashcat usage is not a bug fix but maybe it may help someone to access to their wallet. I'm sure that's the problem 1 for most of us. As for me I did not set a password at all and would like to know more about password flow too.

[7iain7]

This from anther tread on this subject "For a friend of mine I've been trying to crack his wallet for days, but found out that Mist simply replaced his "faulty" character for a space. Worth a try!"

[r3lax3d]

Ethereum uses encryption algorithm keccak256. Shoot if not actual anymore..

https://ethereum.stackexchange.com/questions/3542/how-are-ethereum-addresses-generated

and to demotivate hacking if during the generation process / bug will change a 'Bit'

https://ethereum.stackexchange.com/questions/11572/how-does-the-keccak256-hash-function-work https://www.slideshare.net/RajeevVerma14/keccakpptx

https://en.wikipedia.org/wiki/Message_authentication_code

Next... how handles Ethereum code (I think about the process just before Message to hash) this during installation of the software or importing your json in another environment / software version

https://bitcoin.stackexchange.com/questions/42055/what-is-the-approach-to-calculate-an-ethereum-address-from-a-256-bit-private-key

P.s and i keep repeating that the bug has nothing to do with special characters in a password. The proof is my own password letter/number lower case. And from others.

[sebd-davra]

The bug has nothing to do with special characters I do NOT have any special characters.

[7iain7]

Mist is essential a Web browser with a wallet. In earlier versions of mist did it convert an ascii to html when the password was created?

[r3lax3d]

https://web3js.readthedocs.io/en/1.0/web3-eth-accounts.html

https://github.com/ethers-io/ethers.js/issues/66

Disclaimer: Digging into the code and try to understand. Not saying I am on the right path. But highly interesting ;) Hope to give some DEV's a rope or a lift whatever.

[7iain7]

This is worth a try ascii to html converter: http://succulent-plant.com/toys/asciitohtml.html

[evertonfraga]

@7iain7 Mist has never converted to htmlentities (é > é) as it uses the default utf-8 encoding.

[r3lax3d]

@7iain7 We have to test every input we give to eachother. So i tested it but negative here...

[anormore]

Hi everyone -- we need to STOP GUESSING at this, or we will never get it.

We need to re-create a Mist invalid wallet error and from this, we can identify how to crack it. If I have time this weekend, I will look at creating a Geth script to reverse brute force wallet generation, and see if I can trigger the error.

Speaking with the mods of Hashcat, this is their perspective too. We can sit here and debate special characters or entities, but first we must identify the problem.

[ethtester]

I agree. I'm currently building a clean test bed to install my original mist wallet (0.3.9) and will attempt to re-create my issue which was an automatically created Etherbase wallet that did not prompt for password.

[shopifymatt]

Currently running 0.9.3 the wallet was created either using this version or 0.9.2 cant recall which exactly. Password is 100% correct and contains no special characters, just uppercase, lowercase, and numbers. Password was written down in a txt file as well a physical paper, both match and am still getting a wrong password error when trying to send funds. This is pretty ridiculous.

[anormore]

@shopifymatt Try MyEtherWallet.com to see if it unlocks

[shopifymatt]

@anormore Gave it a shot, no dice. Same wrong password error :(

[anormore]

@shopifymatt Welcome to the club. We have a good community here. We're currently investigating weather or not we're dumb and screwed up input of our password, or there is some bug with Ethereum. It's 50/50. We have arguments for either side, with no definitive answer. Maybe in the next week or two some work will be done towards determining this. Until then, welcome. Grab a chair and sit. Patience is your friend here. (Besides, ETH is going up anyway.)

[shopifymatt]

@anormore so are all those juicy alt coins I was gonna buy with my eth haha, oh well. As long as it eventually gets fixed I don't mind.

[ontheronix]

I have a backup of the %appdata%/Mist folder that was used when I created my now unaccessable wallet. Could this be of any help?

Also, has anyone tried recreating the bug by copy/pasting a password?

[ethtester]

@imanik92 Hello iman, before I email your contact. How many characters was the password and did it include numbers and special characters, also what was the version of mist used to create the wallet? Thanks

[anormore]

I wouldn't suggest giving your keystores and passwords away. It's a desperate measure. Learn and invest in Hashcat yourself, and do it yourself.

[ethtester]

I wouldn't ever. I know this is a scam testimonial..

[7iain7]

I have lost bitcoins in mybitcoin online wallet scam in 2011.Then Mtgox, then 50btc mining pool. Trust NO one where your cyrpto coins a concerned. I cannot stress this enough.

[imanik92]

@anormore @ethtester @7iain7 after all the proof i provide its still not good enough for you, just be happy for me I guess and move on. That simple. Wanna help both parties.

[anormore]

This thread is deteriorating Please stay on topic of the Ethereum BUG

Wallet recovery services should not be discussed here, please PM users if you wish to do so.

[p0mmi3]

Hello all, just to reiterate this is not a thread of lost or forgotten password, there are many who believe a password was never issued and some even having the screenshot of the moment of password creation (such as me) as well as those who wrote it down or copy pasted it immediately.

We believe something went wrong somewhere and we are unable to access the wallet again, the devs are here to help but this is neither a time for blame game, nor the time for senseless discussions.

Kindly try to recreate the problem at your end by following the exact steps, even though we have the devs attention and their willingness to help us in their entirety but this is not an abnormality till it is replicated, which neither us or they have been able to recreate.

We do not wish to create this as, one of many threads for services or hacks or recovers, let us kindly try to recreate the issue or solve it on the whole and keep the discussion only substantial. Emojis help communicate way better!

[shopifymatt]

@pavneet09 The problem with attempting to recreate this issue is that it only presents itself when attempting to send funds. I have no interest in depositing more funds into yet another wallet to have those get locked up due to a bug either.

My exact steps were not exactly ground breaking and I doubt most others were either. Create wallet > Setup wallet >Deposit ETH > at later date attempt to withdraw ETH > Enter password > Get told password is wrong.

There isn't much room for error nor a need for replication, there are people who have literally taken screenshots to confirm they have the right passwords upon sign up, or people like myself who have written them down manually, and others who use the same password for everything all having the same issue.

If you are willing to lose some ETH to test this out, more power to you. I would rather not lose more money however, replicating the most basic functions of a wallet. I get what you are saying but, there is a limit to how much of the effort needed to solve this falls on the users, and I believe we are well past that point.

[p0mmi3]

@shopifymatt Im in the same boat! :)

I created the wallet address with no intention of withdrawing it in the near future, until one fine day I tried to transfer just a bit to be told the password is wrong. Unfortunately there is no other way for us to help other that contribute as much as we can to solve the issue. And yes, I am one of those who has the same password of all different alt coin wallet address, plus I take screenshots, so I would've thought there would be very little margin of error!

[r3lax3d]

Hi @pavneet09 You are totaly right. And thank you for the comment. But basically 'they' want front-end users to do 2th and 3th line technical stuff. We have to reproduce it. Many issues in this long sad very sad issue tracking list already show the steps.

Reproducing the error is very time consuming. And with all respect, I am IT specialist but not a DEV @ Ethereum and thats why i am also looking at a black box untill we see jawdropping help from DEV's. And I went deep already...

• Provide a hand-out to reproduce the account creation step by step (command-line)
• Provide a hand-out to collect debug/trace info
• Create a hackinton. Use the crowdforce of open source where we can participate
• Start thinking about a workaround - for example a smart contract to give people their ETH back
  • A win win situation https://github.com/ethereum/EIPs/issues/156 (defect of the Ethereum network)

@shopifymatt - same same here....

(don't become the LEADER (of forgotten bugs) from the most promising enterprise software of the future) ;) ;)

[anormore]

Thanks everyone for your recent comments to get this issue back on track.

[ontheronix]

@imanik92 @anormore The warnings about sharing keystores are clear now, the discussion can stop here. The more important thing is to know what the cause of the not working password was.

[r3lax3d]

And I would like to see a reaction on my request(s) from Ethereum team.

[anormore]

@imanik92 From the discussion from Reddit, we learn the user simply forgot their password, building evidence for this bug.

"The password was close to what I had thought it was. I assumed there could have been a problem but I wasn't sure where I could have made one. After trying many passwords myself I was certain that it had been scrambled or maybe I didn't use my 3rd grade taught keyboard hand placement I learned so many years ago and mucked it up. When I got the password back there was no special character, just my forgetfulness."

That means something for us all here, and that we should not make angry demands to the Ethereum team -- as there is a chance that we all have forgotten our passwords, and this situation is our fault.

No one has yet to create a repeatable bug report for them.

Many people claiming the bug have found their password.

At this point, in my humble opinion (that may yet be wrong), the evidence really supports the conclusion the Ethereum bug does not exist. Believe me, I want a magic solution and to point fingers too, but that won't help you recover your Ether.

@imanik92 I still do not encourage sharing your keystore. But this isn't the place to discuss recovery services, we need to keep this chat here VERY clean and concise if there is to be hope of discovering a bug.

I personally have created 100 wallets via Geth, and all 100 wallets opened with out a problem.

[sebd-davra]

We do not forget our password ( I copy pasted from keepass) ... the bug is existing but we cannot reproduce it because we don't want to transfer any money in the ether trap... It's not because people forget their password than the bug does not exist. @anormore don't try to get the wallet of the people too...

[shopifymatt]

@anormore I won't argue that there definitely are cases of people who simply forgot their password, and for them the recovery services are risky but great, if they work.

The problem is there are plenty of us who can say with 100% certainty that the password was not forgotten. Creating wallets is not the issue, that can be done no problem. The only way to replicate the issue is to actively have ETH in a wallet and attempt to send it as that is the point in the process where the bug (wrong password regardless) would arise. I don't know about anyone in this thread but, I'm not willing to throw money away to try and solve an issue that is in the developers realm of influence.

[r3lax3d]

We don't need ETH for testing the password or reproduce it. ETH value in a adress is something what has no effect on the route cause. Just create a new installation and create an account / preferable in my situation while the blockchain is still synchronizing.

@anormore You are presuming a lot for others. I respect your input and stay on it but, It is a well known bug and Ethereum team is not actively working on it. Atleast we dont see it. And reproducing steps are already two years provided in a front-end user way.

[ontheronix]

In the Geth command line, you can unlock your wallet without having to do any transaction: https://ethereum.stackexchange.com/questions/4157/how-to-unlock-the-account-with-geth

[p0mmi3]

You do not need to transfer Eth to find if a newly created account is working or not. You can simply go and try to unlock it using Geth. Just like @anormore I too have created many accounts, only to have them unlock simply.

[anormore]

Hello all.

I think we should be clear that offering your keystore and password with this as an active bug is foolish.

Regarding my post that a user had recovered a password by offering their keystore and password was simply indicating that there was in fact a user error.

As people here are taking a 20% commission, it is considered a for profit venture. Advertising dangerous services such as giving away your keystore should be avoided here, as we are trying to solve a bug. We should stay on topic. As you can see, we are quickly falling off topic from identifying the bug.

We need to be able to clearly and concisely identify what causes the bug. It seems that users here are saying that when Ether is deposited in the wallet, the wallet becomes in-accessible with an invalid password.

Previous to this, is the wallet accessible?

We should be able to ask the OP of this thread to verify this bug over a large test bed of wallets and determine the outcome true or false.

Is this reproduceable? If so, let's compare what is happening and find a solution. I would imagine Hashcat would be involved or some sort of wallet conversion script would be executed.

Anger will not get us any further ahead. It is still at this time NOT clear that this is a legitimate code bug, unless some one can do a Youtube video showing them 3 wallets in a row that 'become corrupt', there's not a lot to go on.

I will not pretend I speak for the Ethereum developers, I too am frustrated by their lack of communication on this issue.

We are a community here, of lost passworders. Some of it MIGHT be legit, so prove it is legitimate. In many cases, the user infact forgot their password. I'm fairly certain I have simply forgotten my password and am running Hashcat. I will continue to watch this thread, but will refrain from commenting any more.

I think this small community here on #3513 have done a fair share of research, and should be recognized and officially responded to by Ethereum.org, before any more anger, frustration and action is taken.

[anormore]

@marcgarreau @evertonfraga Now might be a good time for Ethereum.org to step in. Things are getting.... tense.

And understandably so.

[evertonfraga]

@anormore and others that are using Hashcat:

Have you tried adding control characters to the dictionary, on the password boundaries? Examples include:

• Carriage return (CR) \015
• Line feed (LF) \012
• UTF-8 Byte order mark (UTF-8 BOM) U+FEFF at the beginning

[oldmate89]

Hi EV Thanks very much for this.

I am using hashcat however have not tried using these control characters. I will be honest - I am not familiar with these character sets. Are you able to provide some further insight regarding this and I can run these in my rulesets.

Thanks

[anormore]

Thanks @evertonfraga I'll try adding this in on tonights batch.

@oldmate89 Head to Hastcat, I've got a good discussion started: https://hashcat.net/forum/thread-7181.html

[ceric35]

Hi guys, I'm in the same situation. I was using, an ethereum wallet created in 2016 and I have never tried to use it (only input transactions).

Now, MEW and geth ask for a password. A was believed that there was no password, but maybe I was wrong.

If there is a password, I use always the same password to lock all my wallet, so I think it's not a "forgotten password" problem (but I can't be sure of that).

I have tried pyethrecover a little, but with no luck.

I now would like to help to debug it, if I can...