The Life and Death of Passwords: Computing Era
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.
Today: The arms race between code makers and code breakers ushers in the computing era, digital passwords are introduced (and quickly broken), and encryption fixes the security loophole of storing passwords in plaintext.
It wouldn’t be long after WWII when the burgeoning development of computer systems grew large enough that MIT had to solve a new problem: With limited computing power available and more researchers needing access than the system could handle at once, how could they divvy up a schedule that allowed all users a guaranteed window of access? This culminated in the Compatible Time-Sharing System (or just CTSS), a researcher access scheduling system which assigned each user a unique password and limited the number of accounts that could access the system at once.
But, as can often happen when security for users conflicts with what users need to get done, this new system didn’t function as intended for very long. Almost as soon as it was implemented, researchers began to swap passwords to share their access windows. Before long, one researcher discovered that all passwords were stored in plaintext on the mainframe, giving them a master key for unlimited access.
Over the following decades, further refinements were added to try and shore up the effectiveness of password security. Pioneering researchers Ken Thompson and Robert Morris fixed the security loophole presented by storing passwords in plaintext with the introduction of “hashing.” This used an algorithm to scramble the password into what looked like random characters, but which could be decrypted by the system when needed and checked against what a user entered. You can think of the hashing algorithm here much like the Caesar and Vigenère ciphers we just talked about: if the encryption works as intended, only the system with the set of rules used to encode the secret password should be able to decrypt it.
But just like many codes and ciphers fell flat in the face of frequency analysis, anything that can be predictably hidden can eventually be predictably found. And similarly to how null or dummy characters would be added to an encoded message to throw off prying eyes, Thompson and Morris improved their method with “salting”, which would add these padded characters to an encrypted password. Cracking passwords now required someone looking to reverse it to have both the algorithm AND salting pattern used.
Despite the dawning awareness among the population at large to the idea of computer security through pop culture media like the “WarGames” film series, through much of the ’80s the techniques of password security appeared to have outpaced most techniques for compromising them. While computing power grew by leaps and bounds, the time required and number-crunching necessary to crack most passwords could measure into decades, even centuries long.
That changed in 1988, when what many consider the first computer virus to spread through the internet appeared in the form of the Morris Worm. In a twist worthy of Shakespeare, security pioneer Robert Morris’ own son, Cornell University graduate student Robert Morris Jr., developed the worm as a research project. But thanks to a minor quirk in coding, this project spread much further and did far more damage than he intended, knocking 6,000 networked systems around the world offline. The novelty and dramatic family aspect of the story grabbed the public’s attention, and the younger Morris became the first person charged under the Computer Fraud and Abuse Act passed five years earlier. What made the Morris Worm so sophisticated was its combined methods of using a “dictionary attack” of the then-most common 900 passwords, along with a method that tried to search out a system’s password file to crack it if that didn’t work.
Before the Morris Worm, the general attitude towards computer security was lax. As a tool primarily used by government, academic, and large corporate organizations, most systems were built to allow minimal friction for users that might slow their work. They often relyed on standard or default passwords that would allow users to log in regardless of the machine they sat down at. After Morris Jr’s conviction, that attitude quickly changed, and organizations like the Department of Defense began to quickly lock down systems with stronger measures like multi-factor authentication.
The late ’80s and ’90s sped down the road towards ubiquitous computing access, as more and more homes brought home powerful desktop PCs that would have cost thousands of dollars just a few years before. The introduction of home internet services like Prodigy, CompuServe, and America Online saw the profile of the average computer user expand from employees and researchers to… well, just about anybody.
With that seismic change, the security passwords provide and the encryption keeping those secrets safe went from important to vital:
Hearing all this, you might think that most password hacks look like they do in the media: a shadowy figure frantically types away while complex code scrolls past, as their nefarious software cracks someone’s password one character at a time.
But the truth is much more mundane, though no less concerning. In the last couple decades, the biggest driver of breached accounts have been either stealing user passwords through phishing and malware attacks, or finding re-used credentials available in the growing number of “password dumps” where MASSIVE quantities of previously-stolen passwords are bundled and shared with other attackers. Because most users repeat the same password for multiple accounts, this can often be as effective as finding an extra copy of someone’s house keys. And when we say “massive”, we mean it: the largest password dump to date, RockYou2021, included more than 8.4 BILLION passwords, which means there was more than one password for every human being on earth in this single release.
That brings us to today, where 2/3 of people in the US have experienced some form of data theft largely driven by compromised passwords, which are a factor in 85% of successful breaches. With numbers this daunting, what’s the good news? Are we doomed, or can we solve these password problems to help keep ourselves and our personal information safe?
To answer that, we’ll check in with our experts.
Next in our series on passwordless history: Our panel of experts share their password-related pain points, from the challenges of remembering and rotating them to unequal access to technology slowing passwordless adoption.