Something akin to passwords have seemingly been used for at least as long as humans have been recording history. For example, one of the earliest references to something like a password is mentioned in the Book of Judges, which was first written down sometime around the 6th or 7th century BC. Specifically, it states in Judges 12:
And the Gileadites took the passages of Jordan before the Ephraimites: and it was so, that when those Ephraimites which were escaped said, Let me go over; that the men of Gilead said unto him, Art thou an Ephraimite? If he said, Nay;
Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan...
Fast-forwarding a bit in history and Roman legionaries are known to have used a simple system of passphrases to discern whether a stranger was friend or foe. Second century BC Greek historian, Polybius, even describes in detail how the password system worked in terms of making sure everyone knew what the current password was:
...from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword—that is a wooden tablet with the word inscribed on it - takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.
Roman historian Suetonius even mentions Caesar using a simple cipher which required the recipient to know a key, in this case the correct number of times to shift the alphabet, to decipher the message.
As for more modern times, the first known instance of a password system on an electronic computer was implemented by now retired professor of computer science at the Massachusetts Institute of Technology, Fernando Corbato. In 1961, MIT had a giant time-sharing computer called the Compatible Time-Sharing System (CTSS). Corbato would state in a 2012 interview: "The key problem [with the CTSS] was that we were setting up multiple terminals, which were to be used by multiple persons but with each person having his own private set of files. Putting a password on for each individual user as a lock seemed like a very straightforward solution."
Something we should mention before continuing is that Corbota is hesitant to take credit for being the first to implement a computer password system. He suggests that a device built in 1960 by IBM called the Semi-Automatic Business Research Environment (Sabre), which was (and still is in an upgraded form) used for making and maintaining travel reservations, probably used passwords. However, when IBM was contacted about this, they were unsure if the system originally had any such security. And as nobody seems to have any surviving record of whether it did, Corbato is seemingly universally given credit for being the first to put such a system on an electronic computer.
Of course, an issue with these early proto-passwords is that all of them were stored in plane text despite the gaping security hole this introduces.
On that note, in 1962, a PHD student called Allan Scherr managed to get the CTSS to print off all of the computer's passwords. Scherr notes,
There was a way to request files to be printed offline, by submitting a punched card with the account number and file name. Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed... I could then continue my larceny of machine time.
This "larceny" was simply getting more than the four hours of allotted daily computer time he'd been granted.
Scherr then shared the password list to obfuscate his involvement in the data breech. System admins at the time simply thought there must have been a bug in the password system somewhere and Scherr was never caught. We only know that he was responsible because he sheepishly admitted almost a half century later that it was he who did it. This little data breach made him the first known person to steal computer passwords, something the computer pioneer seems quite proud of today.
Hilariously, according to Scherr, while some people used the passwords to get more time on the machine to run simulations and the like, others decided to use them to log into the accounts of people they didn't like just to leave insulting messages. Which just goes to show that while computers may have changed a lot in the last half century, people sure haven't.
In any event, around 5 years later, in 1966, CTSS once again experience a massive data breach when a random administrator accidentally mixed up the files that displayed a welcome message to each user and the master password file... This mistake saw every password stored on the machine being displayed to any user who attempted to log into CTSS. In a paper commemorating the fiftieth anniversary of CTSS engineer Tom Van Vleck fondly recalled the "Password Incident" and jokingly noted of it: "Naturally this happened at 5 PM on a Friday, and I had to spend several unplanned hours changing people's passwords."
As a way to get around the whole plain text password problem, Robert Morris created a one-way encryption system for UNIX which at least made it so in theory even if someone could access the password database, they wouldn't be able to tell what any of the passwords were. Of course, with advancements in computing power and clever algorithms, even more clever encryption schemes have had to be developed... and the battle between white and black hat security experts has pretty much been waging back and forth ever since.
This has all led to Bill Gates famously stating in 2004, "[Passwords] just don't meet the challenge for anything you really want to secure."
Of course, the biggest security hole is generally not the algorithms and software used, but the users themselves. As famed creator of XKCD, Randall Munroe, once so poignantly put it, "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
On this note of training people to make bad passwords, the blame for this can be traced back to widely disseminated recommendations by the National Institute of Standards and Technology, published in the page turner that was the eight page NIST Special Publication 800-63. Appendix A, written by Bill Burr in 2003.
Among other things, Burr recommended the use of words with random characters substituted in, including requiring capital letters and numbers, and that system admins have people change their passwords regularly for maximal security...
Of these seemingly universally adopted recommendations, the now retired Burr stated in an interview with the Wall Street Journal, "Much of what I did I now regret..."
To be fair to Burr, studies concerning the human psychology aspect of passwords were largely non-existent at the time he wrote these recommendations and in theory certainly his suggestions at the least should have been very slightly more secure from a computational perspective than using regular words.
The problem with these recommendations is pointed out by the British National Cyber Security Centre (NCSC) who state, "this proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users. Inevitably, users will devise their own coping mechanisms to cope with 'password overload'. This includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies."
To this point, in 2013 Google performed a quick little study on people's passwords and noted that most people use one of the following in their password scheme: The name or birthday of a pet, family member or partner; an anniversary or other significant date; birthplace; favorite holiday; something to do with a favorite sports team; and, inexplicable, the word password...
So, bottom line, most people choose passwords that are based on information that is easily accessible to hackers, who then can in turn relatively easily create a brute force algorithm to crack the password.
Thankfully, while you might not know it from the ubiquity of systems out there that still require you to do your best impression of Will Hunting to set a password, most security advisory entities have drastically changed their recommendations in the last few years.
For example, the aforementioned NCSC now recommends, among other things, system administrators stop making people change passwords unless there is a known password breach within the system as, "This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits..." Further noting that studies have shown that "Regular password changing harms rather than improves security..."
Or as Physicists and noted Computer Scientist Dr. Alan Woodward of the University of Surrey notes, "the more often you ask someone to change their password, the weaker the passwords they typically choose."
Similarly, even a completely random set of characters at typical password requirement lengths is relatively susceptible to brute force attacks without further security measures. As such, the National Institute of Standards and Technology has likewise updated their recommendations, now encouraging admins to have people focus on lengthy, but simple, passwords.
For example, a password like "My password is pretty easy to remember." is generally going to be orders of magnitude more secure than "[email protected]@m3!1" or even "*^sg5!J8H8*@#!^"
Of course, while using such phrases makes things easy to remember, it still doesn't get around the problem of the seemingly weekly occurrence of some major service having their database hacked, with said systems sometimes using weak encryption or even none at all in their storing of private data and passwords, such as the recent Equifax hack that saw 145.5 million people in the U.S. have their personal data exposed, including full names, Social Security Numbers, birth dates, and addresses. (Across the pond, Equifax also noted about 15 million UK citizens had their records stolen in the breach as well.)
In shades of the first ever password hack mentioned previously which required Scherr to just request that the password file be printed, it turns out to get access to the vast amount of personal data Equifax stores on people, an anonymous computer security expert told Motherboard, "All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app."
Because of this sort of thing, the National Cyber Security Centre also now recommends admins encourage people to use password manager software in order to help increase the likelihood that people use different passwords for different systems.
In the end, no system will ever be fully secure, no matter how well designed, bringing us to the three golden rules of computer security, written by the aforementioned famed cryptographer Robert Morris: "do not own a computer; do not power it on; and do not use it."
- In the age of everyone's lives being stored online on various companies' servers- generally all protected by passwords, the University of London noted in a recent study that about 10% of people are now putting a list of their common passwords in their wills to make sure people can access their data and accounts after they die. Interestingly, the problem of people not doing this actually is noted as having caused a major problem after the 9/11 attacks. For example, Howard Lutnick, a one time executive at Cantor Fitzgerald, noted his rather unenviable task of having to track down the passwords of almost 700 employees who'd died in the attack. Because of how critical it was for the company to have access to their files right away before the evening bond markets opened, he and his staff had to call loved ones of the dead to ask for the passwords or what the passwords might be that same day... Thankfully for the company, most of the employees' passwords were based on the aforementioned flawed recommendations by Bill Burr- the "J3r3my!" variety. This, in combination with specific personal information from loved ones Lutnick collected, allowed a team dispatched by Microsoft to relatively easily crack the unknown passwords via brute force in short order.
Expand for References