Sign up to our newsletter
The latest security news direct to your inbox
Fernando Corbato, the MIT computer scientist who is widely credited with inventing the password as a means of logging into a computer, says that he and his colleagues could not foresee the World Wide Web from the early Sixties – and passwords have now become “kind of a nightmare.”
The data breach at eBay threw this into sharp relief, with security experts such as ESET’s Lysa Myers raising questions over why such important data was not protected with additional measures such as “two-factor authentication” or “2FA”.
“Unfortunately it’s become kind of a nightmare with the World Wide Web,” Corbato said. “I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”
“The notion of a password goes way back. What had happened was we were sharing a mainframe and we had a common disk file. People weren’t used to sharing in those days. It was just an attempt to put in some compartmentalization so people didn’t have to live in a communal setting,” Corbato said.
Corbato revealed in an interview with Wall Street Journal’s Digits Blog that he himself had around 150 passwords, and now committed security sins such as writing down a “crib sheet” to remember them all.
“First of all, we didn’t foresee the current Internet either. Passwords are not a super high level of security, but are enough to protect against casual snooping,” Corbato said, acording to Business Insider
Corbato’s invention, however, still reigns supreme on many sites 50 years on. Analysts predict widespread adoption of additional measures, such as 2FA, by 2015, according to a ZDNet report. The increasingly widespread adoption of biometrics (ie fingerprint scanners) in mobile devices also helps mark the end of an era.
Wired magazine said that passwords were used instead of a knowledge-based system – where a user might be asked facts only he or she knew, such as a birth date or mother’s maiden name – because it took up less space on MIT’s systems.
Corbato remains reluctant to take credit for the invention – saying that a $30 million IBM machine, the Sabre ticketing system, beat him to it. “Surely there must be some antecedents for this mechanism,” he said. Corbato designed one of the first systems for multiple users “time-sharing” computers, known as the Compatible Time-Sharing System or CTSS. A guide for programmers in PDF form can be found here. The idea of passwords allowing for multiple users was part of this.
The idea, of course, was not entirely new – the military had been using “watchwords” or passwords for access for thousands of years, according to the Greek historian Polybius, who lived in the second century BC. Quoting The Histories of Polybius, About.com Ancient History says, “A man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword – that is a wooden tablet with the word inscribed on it – takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him.”
Corbato revealed, however, that data breaches began almost at the same moment as passwords – with one researcher stealing other passwords to log more time on the computer, since “there was a four-hour time limit.” In an unforgivable security breach, the MIT-CSS made it possible to print off a list of all user passwords – which one colleague did.
Author Rob Waugh, We Live Security