60 Years of Passwords

The birth of the password

We started using passwords 60 years ago – where will they go from here? Although verbal passwords have been used since ancient times to establish trust between groups and individuals, today we understand the password as a computing concept. We use typed passwords to access our emails, shopping accounts, bank accounts, social media and every online service we use.

The origin of this modern password comes from the Massachusetts Institute of Technology (MIT) in 1961. It was here that the Compatible Time-Sharing System (CTTS) was developed, perhaps the first operating system able to perform multiple tasks at the same time.

The CTTS was used by different researchers at MIT to help manage their work, print documents and so on. Since it was designed to be accessed by different users, with each of these users allowed access to only their own data, the MIT needed to develop a method of managing and controlling individual access.

Fernando Corbató, professor of computer science at the time, decided users should have a personal confidential password for access to their part of the shared system. [i]

Passwords were the most logical solution for the CTTS. Sixty years later, passwords still form the cornerstone of almost all user authentication systems. Although the system we share now – the world wide web itself – is vaster and more complex than the CTTS, the same basic principle that managed a single mainframe in the 1960s remains our primary method of access to and protection for our personal online data. Often with less than desirable efficiency.

Password statistics

According to the Verizon 2020 DBIR, 80% of hacking breaches involve compromised passwords.[ii] Password security should logically be everyone’s first and most intense focus, but this rarely occurs in practice. In the UK and for most of the world, the average person must remember approximately 100 passwords. Not all of these are different passwords. Contrary to best practice, many users use the same password for multiple accounts. As many as 56% of UK adults use identical passwords across multiple accounts.

Other best practises are consistently under-adopted; only 40% of users reported using multi-factor authentication for personal accounts in 2020.

Users are also reluctant to change their passwords even when they know they’ve been broken. 21% of UK users admit to not changing their passwords until actively forced to by the services they’re using, and only 33% of worldwide users will change their password for a website after an announced data breach.[iii]

It is also worth noting that the most common passwords in use are the simplest passwords to use. According to research from NordPass, the top five passwords used in 2021 are ‘123456’ (used 103,170,552 times), ‘123456789’ (used 46,027,530 times), ‘12345’ (32,955,431), ‘qwerty’ (22,317,280), and ‘password’ (20,958,297). [iv]

Today’s best practices

Best practices for passwords and their use are similar for both home and business users. We are advised not to reuse the same passwords across multiple accounts, and to create passwords above a certain length (a minimum of eight, but preferably more) using a mixture of upper- and lower-case letters, numbers and symbols. Users should regularly check that their passwords haven’t been compromised and should change any that have appeared in known breach lists.

Using a password manager is often considered best practice because it greatly reduces user friction (user friction is the amount of effort required by the user) while creating the high-complexity passwords that are more secure. Password managers come with the caveat that the user’s passwords are stored in a centralised location, and the user must still remember the master password – a failure from either the user or the provider of the password manager can potentially cause more damage than a regular password compromise.

For businesses, best practices include using deny lists (lists of known insecure or too-common passwords which will be rejected when the user tries to set them); swiftly informing users of any security breaches and prompting them to change their passwords, and enforcing or at least offering multi-factor authentication.

Businesses should also store any registered user passwords in a form of encryption known as hashing. The precise hash used should be chosen with care, it should be ‘slow’ in operation (hinders automated cracking), possibly used multiple times, and strengthened with the process known as ‘salting’.

We can see from the password statistics section above that best password practices are frequently if not usually ignored.

How are passwords cracked?

Passwords have had the same fundamental flaw for 60 years: If other people know your password, they can access your account – it’s like having the key to the front door. Cybercriminals can obtain passwords through flaws in software or business logic, through trickery, and through simple (and often large scale) database breaches and theft.

Theft by trickery is best illustrated by phishing, but also includes other methods of persuading users to hand over passwords unencrypted. Even telephone scams can prove remarkably successful.

However, bulk acquisition of user passwords usually follows a data breach and theft of the user password database. This happens more frequently than most people realise. Once a criminal has access to the stolen hashed passwords, (s)he will use an automated form of brute force to crack them. (S)he has readymade tables of possible passwords and associated hashes. (S)he need only locate the matching hash to discover the password.

The tables used by the criminal are huge. You should assume they include the content of every dictionary that exists – but using the power of modern computers, hash and password matching can be very rapid. Most hashed passwords can be cracked within just a few minutes. However, since the criminal also knows the most common passwords, (s)he will try to match these first. The most common 100 or so passwords will be cracked almost instantly.

Making passwords more secure

In the short term, the most significant factor in making passwords more secure is awareness of, and adherence to, the accepted best practices. A long and unique password containing a mix of upper- and lower-case letters, numerals and special characters will not appear in any hacker’s dictionary and will remain difficult to crack. Using multi-factor authentication will not guarantee to eliminate misuse of stolen passwords, but will make it significantly harder for the criminal.

Biometric authentication is another option, although it has some critics. Research from Onfido published in December 2021 commented, “Biometric verification provides more protection against fraud than document verification alone — and a video selfie check provides superior protection over a photo selfie check.”[v]

The future of passwords

To paraphrase Churchill: it has been said that passwords are the worst form of security except all the others that have been tried. There is a reason that passwords, as fundamentally flawed as they are, have never been replaced in 60 years: there is simply nothing more acceptable. Other methods of authentication that are consistently more secure than passwords either depend on devices or artifacts that most users don’t possess, or present such a level of inconvenience for users that it would be unviable. Passwords are unlikely to be replaced in the foreseeable future, but additional layers of security around them can make them more secure.

Need help with password security?

Password security for business may follow the same general ruleset as password security for individuals, but any enterprise must consider an overwhelming number of additional factors. A bad implementation of internal password security, whether for customer or internal authentication, can be disastrous for a business of any size.

Authentication for business requires intensive and detailed consideration, as the best decisions depend on the organisation’s specific field, its size, its management and its staff. Poor decisions risk staff bypassing their own workplace’s security measures, losing productivity to unnecessary security roadblocks or putting the entire organisation’s most sensitive data at risk with insufficient authentication checks.

Expert, specialist assistance in creating a fully tailored comprehensive security solution is invaluable for any business. Planning a password security policy needs to consider all forms of authentication, configuration, deployment and training. CyberGuard has experience guiding businesses to improving their cyber-security in the ideal way for their size and needs. For instance, health and safety consultancy and training providers CallSafe Services had been using a single password to manage their cyber-security before engaging with CyberGuard. With CyberGuard’s guidance, they smoothly upgraded to comprehensive multi-factor authentication and data protection.

Whatever 2022 holds for user account security and passwords, every organisation needs to be well-prepared, secure and ready for change. Anyone uncertain about the robustness of their organisation’s password policy can benefit from a free cyber-security assessment from industry professionals with years of expertise.

We will be using passwords as the basis for our user identification for many years, so it is worth being as secure as possible.[vi]

Request a call back from a cyber expert

References

[i] https://gizmodo.com/the-world-s-first-computer-password-it-was-useless-too-5879856

[ii] https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2020-data-breach-investigations-report.pdf

[iii] https://www.zdnet.com/article/after-a-breach-users-rarely-change-their-passwords-study-finds/

[iv] https://nordpass.com/most-common-passwords-list/

[v] https://onfido.com/resources/reports-whitepapers/identity-fraud-report-2022

[vi] https://www.ogl.co.uk/free-cyber-assessment