Joe and Bruno's Guide to Hacking Time: Regenerating Passwords from RoboForm's Password Generator

Presented at DEF CON 32 (2024), Aug. 9, 2024, 2:30 p.m. (45 minutes).

Imagine if you could go back in time to precompute all passwords that could have been generated by an off-the-shelf password generator? With RoboForm versions prior to June 2015, you can! In Joe and Bruno's Guide to Hacking Time, Joe and Bruno share their story, process, and experiences of reverse engineering RoboForm, finding a weakness in the randomness of the password generation routine, and creating a wrapper to generate all possible passwords that could have been generated within a specific time frame. Their work, using Cheat Engine, Ghidra, x64dbg, and custom code, was done specifically to help someone recover over $3 million of Bitcoin locked in a software wallet, but the attack could be exploited against any account or system protected by a password generated by RoboForm before their 7.9.14 release when this problem was fixed. - Kung Fury, [link](https://www.youtube.com/watch?v=fQGbXmkSArs) - Cheat Engine - Ghidra - x64dbg

Presenters:

  • Joe Grand / Kingpin as Joe "Kingpin" Grand
    Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, daddy, honorary doctor, occasional YouTuber, creator of the first electronic badges for DEFCON, member of L0pht Heavy Industries, and former technological juvenile delinquent.
  • Bruno Krauss
    Bruno Krauss is a software engineer and Bitcoin enthusiast. He demonstrated his knack for password cracking at the age of 13 by bypassing his secondary school's IT security to mine BTC on their PCs and now specializes in cryptocurrency recovery.

Similar Presentations: