Go to Top

Markus Hoffmeister: Here’s what’s behind the Collection#1 hack

Have you checked to see if your password is one of the 21 million currently offered for sale on an illegal website under the name “Collection#1”? If not, you can do so on the website Have I been pwned?. If so, you may have to check again soon, as rumour has it that there will be more in the near future. As it seems, an unknown hacker has made rich loot here.

But how is such a gigantic password theft even possible? Quite simply: It is in the nature of a password that both sides must know it. So if an online provider has one million customers who log in with a password, that provider has to store one million passwords. In the current case, an employee with the appropriate rights or a hacker has gained access to stored passwords. Although there are ways to protect stored passwords, the current hack, as well as many others, show that these methods do not always work.

There are alternatives to passwords – especially the so-called two-factor authentication. For example, a transaction number (TAN) provided via a text message the customer needs to type in in addition to the password (M-TAN method) is a second factor. In this case, an attacker cannot use a stolen password because he doesn’t know the transaction number.

While the M-TAN method is widely used in online banking, you certainly would not want to access your emails in this way. This is why another form of two-factor authentication is often the better solution: two-factor authentication with a smartcard. This technique uses what is known as asymmetric cryptography, which makes it possible to check a type of password (here we are talking about a private key) without even knowing it. This “password” is usually stored on a smartcard. To log in, the user needs the smartcard in question and a secret number (PIN) to unlock it – two factors. A hacker or a corrupt IT employee has no chance from the outset. He can’t steal a password collection from the online provider because such a collection simply doesn’t exist. The provider can identify the user via the counterpart to the private key, the so-called public key.

Numerous companies and authorities have long since switched to two-factor authentication in the form described and thus abolished passwords. Online shops, email services and social media providers, on the other hand, usually shy away from the costs that arise when they equip their customers with smart cards. However, a loss of 21 million passwords (as in the current case) causes much greater damage. It is time for these providers to change their minds.