"Wrong Password" Issues

[wolovim]

Description

For many people, creating an Ethereum wallet is the first time they'll be creating an "account" with no password recovery service. Mist and Ethereum Wallet have consistently had issues filed related to users being locked out of accounts. In the Mist UI, this is visible via a "Wrong Password" error notification when attempting to use a given wallet.

Fortunately, many of these issues are resolved by users remembering they had used a different password, or discovering they made a typo in their password, sometimes with the help of a brute force password recovery tool, like pyethrecover.

Unfortunately, still many reports exist with users certain of their password and unable to unlock their wallets. Many of these reports insist that the incident is the result of a bug in the application and we take those claims very seriously. Each of these issues reported have their own nuances as to how they occurred, e.g. moving wallets to another machine, wallet creation during onboarding, specific language keyboards, use of special characters, during Mist version upgrades, and so on. Every one is researched and tried to reproduce.

If you're in this situation, we know you're in a very stressful position and we haven't abandoned you. We do, however, need your help. If a bug exists, our team has been unable to reproduce it yet. If you are able to, it would be of tremendous help to us if you would share the precise steps you took and your relevant system specs (OS, keyboard language, app version number, geth version number).

Specific example links:

• special character usage: https://github.com/ethereum/mist/issues/3176#issuecomment-349403728

• solved by downgrading Mist version: https://github.com/ethereum/mist/issues/2411#issuecomment-353166968

• keystore folder clear resulting in new wallets created: https://github.com/ethereum/mist/issues/3426

• pw works on first but not subsequent wallets:

  • https://github.com/ethereum/mist/issues/2411#issuecomment-355082708
  • https://github.com/ethereum/mist/issues/2411#issuecomment-333281951
  • https://github.com/ethereum/mist/issues/2411#issuecomment-354410512

• norweigan keyboard use: https://github.com/ethereum/mist/issues/2411#issuecomment-354862699

  • electron international keyboard issue: https://github.com/electron/electron/issues/5649

• success with pyethrecover: https://github.com/ethereum/mist/issues/3176#issuecomment-347361860

Related issues:

• https://github.com/ethereum/mist/issues/2411
• https://github.com/ethereum/mist/issues/3176
• https://github.com/ethereum/mist/issues/3244
• https://github.com/ethereum/mist/issues/664

NOTE: please keep this issue substantive and don't comment to say "I'm having this problem too." Use your emojis instead, please :smile:

[anormore]

Just a general announcement:

https://www.reddit.com/r/ethereum/ is a great place to look for assistance.

I'm running https://www.reddit.com/r/ethereumlostpasswords/ as well, not a lot of activity there though. (which is good?)

You can also chat on Gitter: https://gitter.im/ethereum/home

--

Let's get back to Password related problems here folks! I'm going to do some more testing this weekend regarding the white spaces. I did actually find my password file after a LONG time looking. It was in the wrong place... I think. Anyway, things are making sense here... So I do believe this is a white space issue.

I'm going to see in what other circumstances I can screw up a wallet. I've got a Mac here, so maybe there's some whacky character map issues. What happens if I use a french keyboard layout? Does the hash change?

Stay tuned folks, cheers,

[ghost]

@anormore thank you for your effort in recreating a password bug. Its encouraging as I search for the password issue preventing me from accessing my own pre-sale wallet.

It can be discouraging to loop through the cycle of researching a solution, attempt it and have 'wrong password' return. After a year of attempting to access my pre-sale wallet I feel quite lost in the issues.

My new approach is to catalogue all the mentioned issues, suggestions and resolutions in a spreadsheet. The goal is to have some visibility and confidence of all possible ways to trouble shoot the issue, before I begin to attempt more solutions.

Would this be valuable to everyone? (I'm barely technical so it seems valuable from my perspective) Would this be something anyone would like to have shared around?

@evertonfraga you've listed some links on the first post of this issue. Would you have any other data you've collected on these issues to share?

[anormore]

As we don't have a way to generate a pre-sale wallet at the moment... I think we're kind of screwed. I'm 99% sure of my password, I've tried everything. Nope. Nota.

And I know there is a repeatable 'bug' with password inputs. At this point, I think I'm just fucked. Developers haven't really done anything, other than sort of acknowledge the issue.

At least I'm only "out" $100 bucks, from 4 years ago. So I can't really complain. But I can still be mad that this isn't a bigger issue.

But then again, I have no idea what's going on at Ethereum HQ and what priorities are. Hopefully one day this gets figured out, but at this point, I have to hang up my hat with this, and get back to my regular stuff. This took a lot of effort to learn...

Good luck to the next guy.

[ghost]

I'm 100% sure of my password after brute forcing millions of permutations against my pre-sale wallet. Something unknown is preventing me from accessing with my password.

@anormore I can see you've dedicated a lot of effort to discover the issue. Take some rest but don't give up. We'll get there eventually, if we persist with the issue and keep it front of the dev team's mind

[ontheronix]

I tried affixing and suffixing my password with 1,2 or 3 spaces in Ethcracker because I copy/pasted my password, but also with no result. Probably because I also have special characters in it. So it seems we have 2 seperate bugs.

I also can't believe the devs are still releasing new versions while this bug is in it!

[anormore]

We haven't been able to reproduce the special characters bug... We can definitely reproduce the spaces bug.

I guess what is next is to reproduce the special characters bug to build the proper mask still...

[satori-q3a]

When installing Ethereum Mist, I hit the 'skip' button on the initial password creation section of the install. Using the 'light' mode, the Mist Wallet set up quickly and seemed functional.

Accessing 'geth' via the console, I used the 'account update' command to verify that the password was blank (no password), but found that a 'real' password was expected and could not continue further.

I then did a complete reinstall of Mist (deleting all data folders), but this time I entered in a password when it was first requested. I found that I was able to use 'geth account update' to verify that, indeed, the password was accepted and allowed me to re-enter the same password.

Skipping the password during initial installation creates a situtation where you're not aware that an unknown password was created until you actually try to send funds.

[sebd-davra]

Well done @satori-q3a

[JWSV]

Hello, I found this comment and have just experienced the same issue. I installed the latest version of the Ethereum Wallet and skipped putting in a password. When I deposited Ethereum to the new wallet which was installed a couple weeks ago, I found that it asked for a password the send ether out.. I never created one?

[satori-q3a]

So the question to the devs is:

What's the default password for geth and/or what's the default password that Mist uses when creating a new account? If it's "null", then there's no way that it can be entered thru a console.

[JWSV]

I'm seeing that this question has been asked multiple times in different threads but with no response from a dev??

[JWSV]

Why can't you use the geth update to update the password from a null value?

[JWSV]

Honestly, if this is a bug, then the ether wallet is a real shit show. I downloaded a qtum wallet the same day as this shit ether wallet, loaded it up and sent out qtum, no problems. The qtum wallet has a simple accessible option to change your password if you need to OR input one if you want.

[satori-q3a]

It seems to be a one time setup bug in which you absolutely cannot skip the initial password creation stage of the Mist installation. Otherwise, it will create a new account with it's own password that's unknown to you. You can transfer funds to it but you cannot send from it afterwards.

To be safe, you MUST manually verify that the new password is applied to the account from geth, via the 'account update' command, thru the console before any funds can be transferred to it.

[JWSV]

The problem is I have Several Thousand Dollars that just got destroyed because of this f'ng bug. This is not a game and ethereum project needs to pull their collective heads out of their asses. This is a serious god damn problem with their wallet and makes them look like a joke. A ton of people use crappy windows and it appears that's where the bug is. Glad to be a guinea pig and lose thousands.

[shopifymatt]

Wow if this is true, that's pretty fucking ridiculous. Unreal how there had been practical zero word from the devs.

This is not a minor bug, this is massive.

[philsmd]

@JWSV Can you (reliably) reproduce the problem with a new installation/wallet? I.e. after you backed up all your important files (especially the UTC/json file) and create a fresh/new installation... are you able to perform the same steps and come up with a (new) account that can't be accessed ?

The problem so far was that a lot of people claim that they have "this exact" problem but (besides the special character replacement "problem" from above, which seems to have nothing to do with mist, because anormore proofed that the problem of copy-pasting also happens if he uses his browser instead of mist) were unable to reproduce it. The other problem is that a lot of users that claimed that they are 100% confident that they never inserted a password, much later found out that they used a password that they use also elsewhere with slight modifications (e.g. to fit it to the password policy of greater than 9 characters etc).

I'm not saying that this is for sure what also happened to you. I'm not claiming that you 100% forgot the password or forgot that you typed a password.... but currently we have no proof (best would be video recording, screenshots or at least step-by-step instructions on how to reproduce it etc) that such a bug exists in mist. Until now there was no user able to confirm here that s/he just (at this very moment, because s/he wanted to reproduce the problem) created a new account and s/he is unable to unlock it and that s/he can provide the UTC/json file for us and the devs to analyse (because there is 0 eth in it).

It also would make sense to add some more information about your setup, e.g. which mist version you used beforehand (and which version you use now, if they differ) and the operating system version and (in case you typed a password) the keyboard layouts, (if applicable) if you copy-paste the password etc.

Maybe by repeating the installation steps and trying to figure out what buttons you clicked when launching mist the first time etc ... you are able to pinpoint the problem even more (or instead figure out that you saw this "New Account" screen beforehand and suddently remember that you typed an easy password etc).

[JWSV]

At first, I thought maybe I had created a password and just forgot, but after troubleshooting what I remembered, I don't believe that to be the case. I downloaded two wallets on the 17th of Jan and installed them - An ethereum wallet and a qtum wallet. I did not create passwords for either and I vividly remember skipping the create a password step for ethereum wallet. I do not remember creating a password and then having to verify it. I also put my passwords on special paper so I don't forget and that never happened. I had created a password for the qtum wallet at a later date after playing around with it, but again, no memory of creating one for the ether wallet.

In any case, I will back up the ethereum wallet and try to see if I can recreate the problem by following the steps I remember taking. I didn't do anything special. I just went to the ethereum.org website downloaded the latest for win 7 x 64, unziped it, started the installation and skipped all the way to the end as it was downloading. Once it was done downloading I just left it open off and on for the last couple of weeks until I sent ether to it.

Another interesting thing is that the wallet has a main account (ether base) and another account called account 1. The ether is stuck in account

1. I never created two accounts, so I don't know if that is something that happens automatically when you send ether to the wallet?

Some information: Ethereum wallet win64 0.9.3 - the only version that I had, there were no updates of an existing wallet. Windows 7 x64

On Sat, Feb 10, 2018 at 1:40 AM, philsmd notifications@github.com wrote:

@JWSV https://github.com/jwsv Can you (reliably) reproduce the problem with a new installation/wallet? I.e. after you backed up all your important files (especially the UTC/json file) and create a fresh/new installation... are you able to perform the same steps and still come up with an account that can't be accessed ?

The problem so far was that a lot of people claim that they have "this exact" problem but (besides the special character replacement "problem" from above, which seems to have nothing to do with mist, because anormore proofed that the problem of copy-pasting also happens if he uses his browser instead of mist) were unable to reproduce it. The other problem is that a lot of users that claimed that they are 100% confident that they never inserted a password much later found out that they used a password that they use also elsewhere with slight modifications (e.g. to fit it to the password policy of greater than 9 characters etc).

I'm not saying that this is for sure what also happened for you. I'm not claiming that you 100% forgot the password or forgot that you typed a password.... but currently we have no proof (best would be video recording, screenshots or at least step-by-step instructions on how to reproduce it etc) that such a bug exists in mist. Untill now there was no users confirming here that s/he just (at this very moment, because s/he wanted to reproduce the problem) created a new account and s/he is unable to unlock it and that s/he can provide the UTC/json file for us and the devs to analyse (because there is 0 eth in it).

It also would make sense to add some more information about your setup, e.g. which mist version you used beforehand (and which version you use now, if they differ) and the operating system version and (in case you typed a password) the keyboard layouts, (if applicable) if you copy-paste the password etc.

Maybe by repeating the installation steps and trying to figure out what buttons you clicked when launching mist the first time etc ... you are able to pinpoint the problem even more (or instead figure out that you saw this "New Account" screen beforehand and suddently remember that you typed an easy password etc).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-364636371, or mute the thread https://github.com/notifications/unsubscribe-auth/AioZenPS8GDGJ3F456dfbYUes0RhFGAlks5tTVXxgaJpZM4RU48I .

-- John Stibal 2200 Grizzly Ave Idaho Falls, ID 83402 208-569-3466

[philsmd]

@JWSV do you remember where and how you copied the ethereum address to make the payment ? Do you remember whether there was only one account or more at the time you performed the payment to that address ? Are you sure that after you first launched the mist application after syncing (main windows) that there was already the etherbase account (or even already 2 accounts) ? Did you use geth (go-ethereum) or any other ethereum-related software wallet before installing/launching mist ? Maybe there was already one UTC/json file present on your system by a different application

[JWSV]

I just copied the address that was in the ethereum wallet by clicking on the copy address icon and pasted it into the send space on the sending website. I Thought there was only one account and that then noticed two after the ethereum had arrived - but I'm not 100 sure because I wasn't looking at this. There were no other UTC files on the computer that I know of when I downloaded the wallet. I checked the ethereum folder on the main drive and it was timestamped the same day I downloaded the new ethereum wallet. The time stamp for the UTC files shows that they were both created and last updated the day after I had downloaded the wallet. I did not use Geth before installing the wallet, but I had used it after to try to change the password. Again, I never added another account, because you need to create a password do that AND I definitely didn't do that.

On Sat, Feb 10, 2018 at 11:31 AM, philsmd notifications@github.com wrote:

@JWSV https://github.com/jwsv do you remember where and how you copied the ethereum address to make the payment ? Do you remember whether there was only one account or more at the time you performed the payment to that address ? Are you sure that after you first launched the mist application after syncing (main windows) that there was already the etherbase account (or even already 2 accounts) ? Did you use geth (go-ethereum) or any other ethereum-related software wallet before installing/launching mist ? Maybe there was already one UTC/json file present on your system by a different application

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-364678734, or mute the thread https://github.com/notifications/unsubscribe-auth/AioZemfnwYjQlwdo0TYaLpmJC9-8jCo7ks5tTeBtgaJpZM4RU48I .

-- John Stibal 2200 Grizzly Ave Idaho Falls, ID 83402 208-569-3466

[ghost]

Like mostly all other people, I know I have my password 100% correct. I typed in my password extra slow and I was paying extra close attention while entering my password. I typed it extremely slow with one index finger. I know my password is correct.

This is how the bug happened for me. Step 1) I downloaded Ethereum Wallet Zip Folder 0.9.3 .... Then sent transaction before full node is synced. Step 2) After full node is synced, transaction doesn't show up because full node sync missed block-chain information Step 3) KEEP wallet back-up. Delete Ethereum Zip and Data Step 4) Re-Download Ethereum 0.9.3 .exe NOT zip; and use back-up wallet file and then fully sync with LIGHT client. now, transaction DOES appears in light wallet. Step 5) Try to send with light wallet 0.9.3 ............ get error "wrong password" Step 6) Try every possible password combination EVEN THOUGH i know i typed the very first password correctly and extremely slow with one index finger. Step 7) end edit: no special characters !@#$%^&*()_+<>?/ were used

[philsmd]

I'm just trying to understand/analyze the problem... @RntfgTroy do you remember if you used the skip option at the very beginning ? You wrote "I downloaded Ethereum Wallet Zip Folder 0.9.3 .... Then sent transaction" , but I miss the information about where and when you inserted the password. Did you use the initial onboarding new account screen or did you skip it and later create a new account? Did you use the backup feature of mist or did you back the keys up manually (by copying the directory/files)? Did you inspect the dates of the UTC files? Did they change after you set the password (several days later)? Do you see one or more accounts (only etherbase?) ? Do you use any particular keyboard layout ? Which operating system do you use? Did you try to use geth to unlock the account ?

Do you think you are able to repeat all those steps and provide a keyfile that can't be unlocked? I think in theory one could even use the testnet to sent some coins (without losing any real money) if you think that it only happens after some transactions were performed. It would be great if someone could reproduce these steps and maybe even is able to attach a keyfile (for which the password is known, with 0 eth in it or it only uses testnet coins) and maybe even show some video recordings or screenshots to proof that this problem exists.

[ghost]

-I did not skip setting up a password. I used the onboarding screen for Ethereum Wallet Zip Folder 0.9.3 to set a password.

• I backed up the keys manually in Ethereum Wallet not Mist.
• I never set a new password... I only imported back-up keys... so the dates have always been the same and never overwritten them.
• i did back-up two accounts. the main account & the second account. Im using a default keyboard layout on Windows 10.
• i cannot use geth because the geth file won't download and what command line do i download in addition to geth in order to use geth?
• and everyone has distinctly different steps that they did ... but everyone still has the same "wrong password" issue ...... in other words if someone didn't follow my steps above then they still get "wrong password"... in fact I've read through the forums and everyone does something different but still get "wrong password"... so it really has nothing to do with how we arrived here because everyone just gets "wrong password" no matter what. ... and im sure enough people have the right password for this to be considered an error in ethereum . think about it if everyone says they wrote their password down or used a password generator or copy & paste their password . then it must be a fault in ethereum. -especially the special character problem is a direct fault at the password screen and has nothing to do with how you arrived there.
  -and now the password screen in general has a direct fault with characters and spaces and everything and has nothing to do with how you arrived there thanks for the response @philsmd

edit: and right now I have a small processor so I have to use that computation power to try some solutions, I cannot use that time and power to re-download and install the wallets and blockchains. First, I have spend that time and power on some solutions and downloading different wallet versions and block chains and after I have tried a few solutions, only then will i reproduce the bug by re-downloading a 0.9.3 full node because its a lot on my processor.

And by the way, I'm just finding out that this bug has been in reproduction for years now. Including the person who comments after this post. Thanks again for the comment @philsmd

[ghost]

and as i said ... sooooo many people wrote down their password & know it 100% correct and the wallet says "wrong password" .. this cannot be our fault...

you math guys know the truth ... the increase in people who know their password 100% correct means an increase in the event that this a fault. I'm not yelling .. I'm just using simple math... we already know that the special characters and spaces are a problem on the password screen. we cannot continue to tell people that they messed up. when this is obviously a problem with the password screen. if it was one or two people but, its soooooooooooo many people who have their passwords 100% .. you guys already know the math on that. I'm not yelling I'm just saying a fact.

[ghost]

and what about people that didn't create a password at all. and they can't send transactions. this is obviously flawed. on github the ethereum build is obviously failing... can we get an update?

[anormore]

I'm appalled Ethereum.org hasn't acknowledged this issue in a more formal way, and basically ignores this thread.

I'm no lawyer, but man, the in-ability to access your account due to a bug should be a critical issue. I've taken basic steps to show a re-produceable bug. The fact that the Devs haven't sat down to do this themselves is sheer laziness.

IT'S LAZY

And now it's rude to ignore this issue completely.

What happens when this thread hits Twitter or goes big?

"Warning, do not buy Ethereum because there is a 5% chance you'll never unlock your wallet because of unknown bugs, which were reported to devs, but they didn't care".

There are more and more people coming here daily. I get messages on Reddit for from people asking for help. This is nuts.

I'm calling on Ethereum.org to step it up and address this community.

[lucas-iao]

However this fits into solving the problem- Mac Os ether mist wallet (whatever version was in beg of Aug 2017- not presale. My password and my original wallet work fine. I created a second account within the wallet- I am sure I was never prompted to provide a password during this process as I write everything down. However, if I did create one, it has special characters and I know it. I sent ether to this wallet. when I tried to send ether out of this wallet, I am asked to provide a password- then the password doesnt work. Now I can stare at the account that has my ether and I have no access to it. I have tried downloading and using other wallets with my jstore file, and using myether- I have access to everything but that one account. ethereum was great for paving the way...but my faith will have to lean towards other platforms in the long run. If you think I made a mistake or am wrong, i dont care. I learned my lesson- but I do hope a remedy is found for all those who have suffered losses from this bug.

[JWSV]

Ok, So, I resintalled the ethereum wallet today using the same steps that I did before. However...This time, NO accounts showed up in the wallet. Where and how ethereum wallet is creating these accounts out of thin air is freakn' amazing. If the wallet is picking up old UTC files or incorporating unknown files into a "new installation", that is a serious problem for new users. The system I originally installed the wallet on didn't have any previous ether installations to my knowledge and even if it did, the wallet shouldn't be importing old files into a new installation without your permission so you know whats going on! I am going to restore windows back to its state before the first installation to see what happens.

On Mon, Feb 12, 2018 at 7:37 AM, lucas-iao notifications@github.com wrote:

However this fits into solving the problem- Mac Os ether mist wallet (whatever version was in beg of Aug 2017- not presale. My password and my original wallet work fine. I created a second account within the wallet- I am sure I was never prompted to provide a password during this process as I write everything down. However, if I did create one, it has special characters and I know it. I sent ether to this wallet. when I tried to send ether out of this wallet, I am asked to provide a password- then the password doesnt work. Now I can stare at the account that has my ether and I have no access to it. I have tried downloading and using other wallets with my jstore file, and using myether- I have access to everything but that one account. ethereum was great for paving the way...but my faith will have to lean towards other platforms in the long run. If you think I made a mistake or am wrong, i dont care. I learned my lesson- but I do hope a remedy is found for all those who have suffered losses from this bug.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-364940901, or mute the thread https://github.com/notifications/unsubscribe-auth/AioZemEWBqcI05WXKQDn7DqsLsP8mEEvks5tUEy4gaJpZM4RU48I .

-- John Stibal 2200 Grizzly Ave Idaho Falls, ID 83402 208-569-3466

[lexie1]

Hey guys, Unfortunately I have the exact same problem. I'm sure I did not set up any password, as I skipped it and it created my main account. I've been trying to brute force, however I'm certain there was no password. I'm really pissed. I have a great memory and always write everything down...when I first tried to send some coins to an exchange I was really suprised it asked me for password cause I never set it :(

[ontheronix]

@evertonfraga Are there reports about passwords with underscores ( _ ) in it? Can you provide a list with troublesome characters derived from the input of the Google form?

[ghost]

i have an update: i was thinking about my password today.. and i thought i remembered it. So i tried it and it didn't say wrong password, it said no peers connected. but usually if peers are not connected it would just say wrong password. so to make a long story short it still says wrong password.

but I know i wouldn't make my password anything else. and i specifically remember typing the password extra slow with one finger and showing password and everything and using my extra familiar password. and if i had to add a character then it would only be a "9"

but to make a longer story shorter. i know my password however i tried all different passwords and password mistakes just for kicks. but i specifically remember installing my password. because all wallets says do not lose your password

this is exactly what i was trying to avoid, not having anyone to go to for a password thats why i looked at the password and i own crypto wallets im responsible . but this time it wasn't me.

and earlier versions didn't work either because the keys have a different format now for 0.9.3 to make a longer story shorter can you guys please make an update, where the passphrases hashes are corrected. my password cannot possibly be anything else . i tried my password, i tried password mistakes , caps lock. like im trying all this stuff for no reason my brain is stuck on my real password . I don't understand. why guys why 😞 edit: i didn't put any fancy stuff that i would forget. like specifically put it as my other password. it has the exact same length ... i remember the dots length and i looked at it specifically i just guys why 🤕

[ghost]

also if my password length is less than the required.. but i know i my password 100% true can the next update remove the requirements. guys 🤕 i still don't understand why people copy&paste their password and it doesn't work. but on the next update can the password requirements be removed because it could be that my password length is lesser than required length. guys why would it allow a password to be created that doesn't meet the requirements why would it allow a password to be created that doesn't meet the requirements why would it allow a password to be created that is zero characters or lesser than required whyyyyyyyyyy i just don't get it 😞

[anormore]

Ethereum is bugged, and you're out of luck. No response from developers despite hundreds of cases from users.

Kiss your ETH goodbye.

[sebd-davra]

yep it's an ether trap.

[philsmd]

@anormore and others that have a pre-sale generated wallet/json file. Since @evertonfraga and other devs here only promised to show the code of the wallet generation of the pre-sale website but never delivered, I took some spare time and tried to investigate... With archive.org or archive.is the old versions of the ethereum.org website are still available and I also discovered the wallet generation code (genwallet ()). It's actually similar to the pyethsaletool tool (but with the extra bkp field) which is available here: https://github.com/ethereum/pyethsaletool... but implemented in javascript.

Here are some interesting links: https://www.reddit.com/r/ethereum/comments/2bilqg/note_there_is_a_paranoid_highsecurity_way_to/cj5yda2/ https://web.archive.org/web/20140824160929/https://www.ethereum.org/ https://web.archive.org/web/20140824160929js_/https://www.ethereum.org/scripts/app.min.js

It's interesting that the charset for the seed consists of "only" these characters: "abcdefghijklmnopqrstuvwxyz234567" (see the n.entropy+="abcdefghijklmnopqrstuvwxyz234567"[t%32] from the app.min.js file above).... but at the other hand also the pyethsaletool seems to have used a restricted charset for the seed (only using hex chars, "0123456789abcdef") after this commit https://github.com/ethereum/pyethsaletool/commit/6c2ff9aa8693b25d406d4e6908a2d00913fee51e (I have also explained some possible attacks that could be performed here: https://hashcat.net/forum/thread-6405-post-39256.html#pid39256 if you for instance know how long the raw seed is - padding attack - or how the charset was restricted)

To make it clear, all those possible ways to "attack" the encseed of a pre-sale wallet do not really make it much more faster to crack (because the speed gain should be negligible compared to the slow/heavy pbkdf2 part), but they for instance allow to not disclose/provide the whole encseed to strangers (e.g. password recovery services), but still let them try a lot of password candidates to recover the seed/private key.

this could also be interesting https://forum.ethereum.org/discussion/1159/why-do-the-sale-webpage-and-python-command-line-tool-produce-very-differently-sized-encseeds , Vitalik explains why the encseeds are much longer for wallets generated by the website.

[evertonfraga]

Hi all,

I managed to find the code that generated the presale wallets, with the help of @cdetrio. You can run that website and see if the account created from there can be unlocked by Geth.

wallet generation code: https://github.com/ethereum/www/blob/514c99663ebd5b276652ee1be377e560a092fbbf/src/scripts/libs/ethersale/xethtool.js#L67-L81

where genwallet is called from the interface https://github.com/ethereum/www/blob/514c99663ebd5b276652ee1be377e560a092fbbf/src/scripts/ethapp.js#L167

commit history from that time https://github.com/ethereum/www/commits/master-sale?after=057b87516d3373cda55143e7f24bf91e77fb5259+34

[anormore]

@evertonfraga this is the kind of stuff that makes me think this is on you.

My purchase date is: 8/9/14

The pythesaletool was changed on: 09/11/14

The Change: https://github.com/ethereum/pyethsaletool/commit/6c2ff9aa8693b25d406d4e6908a2d00913fee51e

random_key() random_key().decode('hex')

@philsmd -- does this make sense? Would this have anything to do with my lockout or any one elses specifically? It appears they changed the way passwords are generated.

I'm wondering if all the tools including Hashcat are not including "my non decode('hex') wallet"?

@evertonfraga If I generated a wallet before this update, and one after this update, using the same password with some sort of special character -- the output hash would be different, yes?

[philsmd]

@anormore pyethsaletool was not directly used within the webpage.

I think the change of using hexadecimal instead of unhexing it has to do with the fact that an user could provide the seed with the command line argument

--seed seed

to pyethsaletool and therefore it can't always be hex-decoded (if hex chars were not used in the first place). I think this was a "bug" (again only pyethsaletool not the webpage) in previous versions of pyethsaletool that it always tried to unhex the seed provided by --seed... now the change introduced a slight weakness/vulnerability because we have a known-charset that we can detect with password recovery tools and make educated guesses if the decryption worked even without the sha3 step or even without having the whole encseed.

Again, I do not think that the page was modified too with these hex-changes (now you also have the commit log so maybe you can find it out yourself, but I'm pretty sure the javascript version wasn't change the same way).

The hex-change does not change much in the algorithm. If anything the seed and encseed would be much longer (twice as long compared to non-hex version seed). It wouldn't make it uncrackable and you wouldn't need a different algorithm to crack it (it is just longer, if anything).

I wouldn't say that "hash would be different", it's always differerent for instance because we have a random initialization vector (IV) for the AES key etc.... This is also no problem for the password crackers and it wouldn't make it uncrackable.

[anormore]

So, it's not possible for me to reproduce the bugs from the staging.ethereum.com website. Who knows how they were grabbing input and transforming it.

Still waiting here for a dev response. @evertonfraga

[evertonfraga]

@anormore

this is the kind of stuff that makes me think this is on you.

You make assumptions out of imprecision, and that does not help us progress.

This issue was created to collect user feedback regarding different types of wrong password claims and try to figure out a pattern that could lead to more specific testing scenarios. As a reminder, we've already spent lots of hours and haven't reproduced a single wrong password case.

Although I'm designing new testing scenarios with the collected data as input, I'm afraid your problem does not even fit in this issue — it was a presale wallet which password didn't work with Ethereum Wallet. Also MyEtherWallet, Geth, Parity and so on.

I've identified several possible causes to "Wrong password" issue, and clearly, your problem is not with this software. I tried my best to respond to off-topic questions you made, but let's keep an EthereumWallet-wise conversation.

[evertonfraga]

https://github.com/ethereum/mist/issues/3513#issuecomment-357752330

[advancedsoftwarecanada]

Man, my password is a super simple password. There’s a LOT of problems with ethereum.

Since you’re going to take weeks to respond, and not really provide any solutions, I’ll just leave. But the fact remains there ARE problems and I have in fact given steps to reproduce the bug. Copy and paste a line break and it will absolutely change the wallets hash. It has been created with extra data instead of stripping it to out.

I purchased as a presale wallet, I cannot actually contribute as I cannot actually generate a new wallet.

I sense the growing anger and frustrations here.

[ghost]

everyone, i already commented so i won't jam the thread anymore. I just want to say that I know clicked "view password" and i specifically know that is the same as another password. I typed it extremely slowly with one finger and viewed the password. Even though I have tried every possible combination.... it cannot be anything else. so many people use password managers and copy + paste and their password doesn't work either. anyway this is not an argument. I just went ahead and burned my ether at the stake. burning my ether at the stake meaning deleting the keys. It was over half an ethereum and i am the upmost glad the I had not put 2, 3 or 4+ ether in here.

anyway this isn't a threat or argument. i just burned my ethereum at the stake. I'm over it. Good Luck All I won't be back

[Tguillaro]

Still can not transfer my Eth out of this wallet... I know my password and every variation I have ever used, it does not work!!! I just want to transfer my coins out of this crappy wallet for fuck sakes

On Wed, Feb 21, 2018 at 5:41 PM, RntfgTroy notifications@github.com wrote:

everyone, i already commented so i won't jam the thread anymore. I just want to say that I know clicked "view password" and i specifically know that is the same as another password. I typed it extremely slowly with one finger and viewed the password. Even though I have tried every possible combination.... it cannot be anything else. so many people use password managers and copy + paste and their password doesn't work either. anyway this is not an argument. I just went ahead and burned my ether at the stake. burning my ether at the stake meaning deleting the keys. It was over half an ethereum and i am the upmost glad the I had not put 2, 3 or 4+ ether in here.

anyway this isn't a threat or argument. i just burned my ethereum at the stake. I'm over it. Good Luck All I won't be back

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-367502059, or mute the thread https://github.com/notifications/unsubscribe-auth/AiTVZNQo_Kz8VdKcakKO7i93tEDB6aPbks5tXJuEgaJpZM4RU48I .

[sebd-davra]

@Tguillaro we want all the same, but nobody is able to reproduce the problem, but the issue is still real.

[Tguillaro]

Lmao, They're not able to reproduce the problem yet everyone is having this issue... Come on Eth, get your shit together!

On Thu, Feb 22, 2018 at 4:52 AM, sebd-davra notifications@github.com wrote:

@Tguillaro https://github.com/tguillaro we want all the same, but nobody is able to reproduce the problem, but the issue is still real.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-367626414, or mute the thread https://github.com/notifications/unsubscribe-auth/AiTVZBRMcmGsS9pU6LKJGBw5iFhslvenks5tXTjAgaJpZM4RU48I .

[ontheronix]

Attention newcomers! It is not entirely true that the problem has not been reproduced: Anarmore has reproduced the problem of copy/pasting the password. See some posts above.

The problem of special characters has not been reproduced yet but it is very likely that it happens since the charset has no special characters in it (see philsmd's post).

[Tguillaro]

So what does that mean for us.. Can you fix the issue or are we all SOL on the money we have in this wallet

On Thu, Feb 22, 2018 at 10:29 AM, ontheronix notifications@github.com wrote:

Attention newcomers! It is not entirely true that the problem has not been reproduced: Anarmore has reproduced the problem of copy/pasting the password. See some posts above.

The problem of special characters has not been reproduced yet but it is very likely that it happens since the charset has no special characters in it (see philsmd's post).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-367717245, or mute the thread https://github.com/notifications/unsubscribe-auth/AiTVZD48joBPs4rzNsqJa1dqMvuH4sT7ks5tXYf2gaJpZM4RU48I .

[73theconnector]

It has been over a year since I was locked out of my wallet waiting to hear a solution. It’s hard to walk away from 16 ethers. Perhaps Ethereum is just another internet scam. “Bitconnect” I agree with AndyNormore “anger and frustrations” I still remember seeing my balance every day after I transfer my bitcoin into The Mist ethereum wallet and one day I turned my computer back on and All was gone....the rest is history.. Ethereum built a business out of stilling money from hard working people.

[Tguillaro]

Right, this is bullshit, I made a transfer to this wallet when it was 20 bucks a coin... That's a shit ton of money now >_<

On Sat, Feb 24, 2018 at 8:40 AM, 73theconnector notifications@github.com wrote:

It has been over a year since I was locked out of my wallet waiting to hear a solution. It’s hard to walk away from 16 ethers. Perhaps Ethereum is just another internet scam. “Bitconnect” I agree with AndyNormore “anger and frustrations” I still remember seeing my balance every day after I transfer my bitcoin into The Mist ethereum wallet and one day I turned my computer back on and All was gone....the rest is history.. Ethereum built a business out of stilling money from hard working people.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ethereum/mist/issues/3513#issuecomment-368229190, or mute the thread https://github.com/notifications/unsubscribe-auth/AiTVZF5Ik_vSxLQnr70lDZDCPovlfBIFks5tYBFmgaJpZM4RU48I .