From Ancient Greece to Multi-Factor Authentication, passwords have been data gatekeepers for longer than you might think.
How did words, numbers, and even special characters evolve to become the core protectors of our data today?
Read below to learn more from our password predecessors and get an insight into how future passwords will be more about what you know and how you act...
Greek historian of the Hellenistic period, Polybius, described a system used by the Roman military, where they would use “watchwords” to challenge those wishing to enter a guarded area.
Speakeasies, also known as “blind pigs” and “gin joints” ranged from fancy clubs to dirty backrooms and basements. During Prohibition, they were all the rage. The passwords used are lost to time, but access to a speakeasy could be gained by speaking the password softly (speak it easy, thus speakeasy), a secret handshake or knock, or membership card.
1944 – Following D-Day, English-speaking Allied personnel in Europe used a challenge-response process, which acted as a password system and a vetting system. The first person would call out FLASH and wait for the response of THUNDER, from the second person. This was followed by WELCOME, which was to be stated by the first person after receiving the challenge / response. The words were chosen because Germans speaking English had trouble with words using w-sounds.
1960 – First password used at Massachusetts Institute of Technology, for the Compatible Time-Sharing System (CTSS). This enabled users to have their own set of files on a single console, which was connected to a shared mainframe. Corbató told the Wall Street Journal in an interview that passwords became sort of a nightmare with the World Wide Web.
1962 – First password-based data breach happens when CTSS passwords are printed out and shared. Ph.D. candidate Alan Scheer printed out the passwords to get more time on the CTSS to run research simulations.
1974 – Robert Morris develops one-way encryption translating passwords into numbers, a process known as hashing. This process is still used today.
1979 – Robert Morris and Ken Thompson coin the term “Salt”. Salting a password means adding random characters to a stored password, making them harder to crack. This is also something that is still used today.
Nearly 50% of all data breaches involved stolen credentials (Verizon DBIR, 2022), but common passwords are a problem too. Passwords of five (5) and six (6) characters were common. Among the 10,000 most common passwords, you’ll find such gems as 123456, password, qwerty, letmein, shadow, baseball, football, dragon, 123321, and abc123.
AT&T invented and patented two-factor authentication in 1995, and the patent was granted in 1998.
As technology advances, and criminals take to cracking passwords compromised during a data breach, the trend to lengthen passwords starts to take off.
Two-factor (2FA) is followed by Multifactor authentication (MFA). MFA is broken down into three core elements; something you know (password), something you have (your phone or an MFA token, smart card, etc.), and something you are (biometrics). There a fourth option, based on location, which is sometimes used by vendors, including Duo.
2FA and MFA become increasingly adopted mostly to the explosion of data breaches that exposed passwords. These data breaches are particularly harmful as passwords were often recycled and reused across multiple websites and services (this still happens today!)
You need a password length of about 12 to 18 characters or longer to stay ahead of the curve. Password managers are becoming increasingly handy tools to help humans manage complexity.
2022 – an eight (8) character password comprised of upper and lowercase letters, numbers, and symbols, can be cracked, and fully exposed in about 39 minutes. Passwords of the same complexity, but shorter than 8 characters can be cracked in seconds, or instantly.
The future is a passwordless one. Authentication in the future will focus on what you know, what you have, what you are, where you are (contextual), and how you act (behavioral) – also known as Risk Based Authentication, and Continuous Trusted Access.