SecurityBrief Asia - A short history of the computer password

ThinkstockPhotos-671978144.jpg

A short history of the computer password

The password is nothing new. In fact, it has been around for centuries. Way before Hotmail, Skype and Netflix were prompting you to create a secure code with a funky username, the Romans reportedly used passwords as a way to convey important military messages between troops.

Essentially, it was a simple way to protect information. Fast forward a few thousand years and enter Fernando Corbató.

Widely regarded as the godfather of the modern computer password, he introduced the idea to computer science while working at the Massachusetts Institute of Technology (MIT) in 1960.

The university had developed a huge Compatible Time-Sharing System (CTSS) that all researchers had access to. However, they shared a common mainframe as well as a single disk file.

To help keep individual files private, the concept of a password was developed so that users could only access their own specific files for their allotted four hours a week – hey, computer time was limited back in the 60s.

Although the password was less than perfect, something Corbató is the first to admit, it went on to become the go-to method for computer security, both in the personal and corporate spheres, due to its simplicity (although this would later be seen as one of its faults).

Hashing, salt and cryptology

In those early days of computing, the use of passwords in this sense was fairly limited, mainly to guys like Corbató and his team who were among the first to really explore the power of computers.

However, as the world wide web exploded in the 90s, more and more people began using the internet on a regular basis, creating reams of sensitive data and information in the process.

But even before the web went into overdrive, early computer scientists were working on a way to make passwords more secure. And, to do that, computer science took a leaf from cryptology.

Working for Bell Labs in the 70s, cryptographer Robert Morris devised “hashing”; the process by which a string of characters is transformed into a numerical code that represents the original phrase.

Hashing was adopted in early unix-like operating systems, which are widely used today across the world in mobile devices and workstations. Apple’s macOS, for example, uses unix, while the PlayStation 4 uses Orbis OS, a unix-like operating system.

Adding yet another level of security, modern password databases can also employ “salting” to further encrypt a password whereby random data is inserted before the password, and then the resulting string is hashed.

This, however, doesn’t stop a simple password from being guessed: the main aim is to stop a leaked password or multiple passwords (for example, in the event a database has been breached) from being cracked and used.

But back when Corbató devised the password, security wasn’t such a huge issue: hacking, as we understand it today, didn’t really appear until the 80s.

Now, it’s a different story: almost everything is online.

From banking and shopping, to TV and music, we keep our data safe with a string of digits and letters. But how safe is it? Even huge companies eBay and LinkedIn have been attacked in recent years, compromising the passwords of their users.

The pros and cons of the password

There are a couple of seemingly intrinsic problems with passwords. One, it seems to be that short ones are easy to remember but easier to guess. Two, longer ones are harder to crack but harder to remember.

Keeping so many different passwords can be difficult too. Just think about how many online accounts the average person has: online banking, personal email, iTunes, Skype, Amazon … the list goes on and on.

This has led many people to just use one or two passwords across the board. This, of course, poses a major problem: if attackers work it out, they then have access to everything.

Another issue is the choice of the password itself. Shockingly, SplashData found that a great many people still used “password” or “123456” as the key to their sensitive data – it’s not going to take a cybercriminal much effort or time to crack that code now, is it?

The password is dead … long live the password

Passwords do, of course, provide a level of security, and despite the likes of Bill Gates saying it was dead way back in 2004, most companies with online portals still use them.

So how can you make your passwords more secure? Well, there are a few options.

The people behind World Password Day, an initiative focused on improving password strength, suggest that each account should have its own unique password to avoid this very issue.

Creating strong passwords in the first place is also crucial. Codes that combine words and numbers, avoid obvious personal information and that are eight or more letters in length generally work best.

Users can also adopt a “passcode” strategy for increased security or adopt two-factor authentication, where a password is only one step in gaining access to sensitive data.

Further, moving beyond passwords is recommended – passphrases, for example, offer users better security courtesy of longer and complex sentences, while still being easy to remember.

If all this password malarkey seems a bit much, you could take a leaf from the late cryptographer Robert Morris (father of Robert Morris Jr, author of the Morris Worm). Besides his contributions to password hashing the above tips, he had a slightly more unusual suggestion for computer security:

“The three golden rules to ensure computer security are: do not own a computer; do not power it on, and do not use it.” A little too extreme perhaps …

Article by Welivesecurity.

Are you keen to hear more? We can get you in contact with ESET.

Follow Us

Featured

next-story-thumb Scroll down to read: