Who invented passwords? History and future of the password

Ever wondered when people started using passwords? It may not surprise you to hear that the ancient Romans had military passcodes, but did you know that they make an appearance in the Hebrew Bible as well?
Discover the history of passwords – who invented passwords, where the notion of a secure password comes from, and what the future of passwords looks like.
Sticky notes with passwords stuck to computer screen
Will passwords like this soon belong to the past?

A look at history shows that passwords – in the form of codes, watchwords or passphrases – have been used for thousands of years to
  • gain access to a place or object, whether a city, a secret hideout, a control center, or a safe
  • obtain information, like a closely guarded formula or military codes
  • verify identity, such as membership in a group like an army troop
Referred to the “something you know” method in authentication, passwords have been used in a wide variety of contexts. The name may vary between keyword, code, watchword, PIN, TAN... But the principle remains the same – if you can’t provide the exact combination of letters, words or numbers, you won’t get in!

Passwords: from antiquity to the present day

Examples of the password abound in popular culture. Just think of the classic folk tale of “Ali Baba and the Forty Thieves” where the phrase “Open, Sesame!” unlocks a cave full of treasure. Or who can forget the image of patrons whispering a password to enter a speakeasy during Prohibition? And the ever-changing passwords in Hogwarts castle often provided plot twists and comic relief in J.K. Rowling’s Harry Potter novels.

Who goes there? Watchwords and military passwords

The use of passwords can be found in military contexts far back in history. For example, sometime around the 11th century BCE, an armed conflict broke out between the tribes of Gilead and Ephraim. The Bible’s Book of Judges tells us that soldiers from Gilead used the password “Shibboleth” to differentiate between friend and foe. Because their enemies pronounced this word differently due to their dialect, the password proved a highly effective form of “authentication”!  

The ancient Romans assigned “watchwords” so that the night watch outside city gates could recognize their comrades in the dark. If you didn’t know the word, you weren’t allowed to pass. The Romans were also no slouches when it came to changing their passwords regularly. Especially in times of war, it was absolutely essential that only authorized individuals knew the current password. A daily password change was performed by a soldier going to the tent of the commanding officer and receiving the day’s password on a wooden tablet. It was then passed on to the commanders of the different units, always with a witness to verify the process, effectively eliminating any security gaps.

Famously weak passwords

The Roman system seems far more effective than the depiction of military security in medieval Denmark found in Shakespeare’s Hamlet, where “Long live the king!” is the password which identifies the guard arriving to stand the next watch. This surely belongs alongside “QWERTY1234” on any list of easily guessed passwords. But this fictional account of lax password security pales in comparison to a true story from America’s Cold War era.

In 2004, Dr. Bruce G. Blair, a former Minuteman officer, revealed that in the 1970s, American commanders set an 8-digit code for opening the locking panel on the launch silos of Minuteman nuclear missiles. So far, so good – but in fact the password for EVERY silo was 00000000. The reasoning was that the biggest risk was not an unauthorized missile launch, but not being able to launch them quickly enough if there were interruptions in lines of communication during a Soviet attack. Keeping this in mind, the already weak password was also printed on the launch checklists and was therefore accessible even to civilian contractors. Viewed through the lens of today’s concerns with password security, this seems shockingly negligent.

Birth of the computer password

The advance of computers in the 1960s fundamentally changed the use of passwords. While passwords had previously been used primarily for military purposes, they gradually became a common part of people’s everyday lives.
 
In 1960, the computers at the Massachusetts Institute of Technology (MIT) were shared by multiple users under the CTSS (Compatible Time-Sharing System). To allow several people to share a computer and still store private content to which no one else had access, Fernando Corbató proposed the first system for protecting files with a password.

Not surprisingly, it did not take long for the first password hackers to make their appearance. Just two years later, the first security vulnerabilities were discovered: the passwords were stored as simple text files. A doctoral student who wanted more time on the shared computer was able to print out the system’s password file and used the “borrowed” login credentials to log in under different names so he could keep working on his own project.

Rise of the strong password

Thus began a vicious cycle of developing better and stronger passwords and computer security and hackers finding new ways to circumvent them. As computers moved out of closed research and academic facilities into businesses and homes, and were connected by the internet, the stakes for someone breaking into your computer became much higher than a colleague stealing your time slot or leaving a rude message in your file. In 2003, Bill Burr, a manager at the National Institute of Standards and Technology (NIST) proposed a system for creating passwords that were harder to guess: a mix of numbers, letters, and special characters. Sound familiar? However, in a 2017 interview with the Wall Street Journal, Burr admitted that he had some regrets.

Ironically this system that forced people to use random strings of numbers and letters as passwords, have a different password for each account, and change them regularly actually led to LESS secure passwords – remembering multiple strong passwords is just too hard, and many people revert to “Password123!” or rotating through their pets’ names. (Which unfortunately plays right into the hackers’ hands.) To be fair, the NIST research that led to the recommendation was conducted in the 1980s, so it could not anticipate today’s world of multiple devices and online accounts that forces the average person to manage around 100 passwords.

Future of the password

The history of the password shows us that all an attacker needs to do gain access to a castle or to a computer is to get their hands on the right code. In most cases, this makes the password the weakest link in the cybersecurity chain. The 2017 Verizon Data Breach Investigation Report showed that 81 percent of data breaches resulted from stolen or compromised passwords. Which in turn has had many experts calling for an end to the password. From two-factor authentication to security certificates stored on devices, recent years have seen many attempts to bridge this potential security gap.

The next step in this evolution seems to be the move toward biometric identity authentication, which relies on analyzing an individual’s unique physical characteristics. The newest generations of smartphones have taken fingerprint and facial recognition technology – once found only in top-secret military installations – and put it into everyone’s pocket, literally. This solution is far easier to use than passwords, eliminating the need to remember long strings of characters and numbers.

Until the password is completely replaced by other forms of authentication, however, it is extremely important that we continue to use secure passwords, especially for our email accounts!

We hope you enjoyed this deep dive into the history of the password! We look forward to your feedback below!

Images: 1&1/GettyImages
 

17 people found this article helpful.

Related articles

Account registration: What can happen if I enter false information?

I have 2FA enabled, but it’s not working. What should I do?

How secure is my password?