The Evolution of the Password Throughout History

Every few months, banks, our company’s IT department, email clients and certain apps remind us to change our passwords. And when we do, some systems even assess the level of difficulty of our new passwords, telling us if our new password is weak or strong. We’re also told that we’re not allowed to reuse a previous password when we’re too lazy to come up with a new one. The modern password has evolved, along with its respective best practices. But how, exactly, did the password come into being? Is it a product of modernization or technology? What’s the history of the password?

Historical roots of passwords

The password traces its origins to the ancient Roman military watchword used to differentiate allies from enemies, as chronicled by Hellenistic historian Polybius. Roman soldiers used tablets upon which was inscribed the watchword and passed this on from maniple to maniple systematically until the tablets reached the military tribune from whence they came. The password has a long and storied history.

Later, during the Second World War in the Battle of Normandy, U.S. 101st Airborne Division paratroopers used a challenge (“flash”) that required a password response (“thunder”). Lastly, a countersign to challenge the original person that started the challenge (“Welcome”). The movie Saving Private Ryan portrays this challenge-response. Every three days, these passwords changed. Not a password you want to get incorrect, as the result would be a barrage of .30-06 bullets fired your way. This is an example of challenge-response authentication. All of a sudden, a 90-day password expiry doesn’t seem so bad.

Another version of the password used by American paratroopers on D-Day was the metallic click and the response comprising two clicks using a device they called a “cricket.” Of course without a second factor, anyone could find one on the ground and use it maliciously. That’s why we need MFA.

Fernando Corbató and the modern password

The introduction of the modern computer password is usually attributed to Fernando Corbató – a brilliant American computer scientist known for pioneering the development of time-sharing operating systems.

The initial time-sharing system Corbató was involved in was the Massachusetts Institute of Technology (MIT) Compatible Time-Sharing System (CTSS), whose early version was released in 1961. All researchers had access to the system, but the problem was that they were using a common mainframe and only one disk file. So, to ensure each researcher’s individual file remained private, users had to create their own password to access their files during their allotted four hours every week.

Back then, Corbató considered the password a rudimentary security method. However, its utter simplicity paved the way for its popular adoption. So the password eventually became the long-term solution for maintaining computer security. The password is simple to use, cost-effective, requires virtually no training, and can be propagated with ease. So, the password became popular because it was easy for anyone to use. It was intuitive…

Further developments

In general, the use of passwords remained limited to tech researchers like Corbató and other people on his team studying how powerful computers were. This means that cybercrimes such as the ones we experience today were totally unknown at the time. Of course, that’s all changed now.

However, things changed when Internet use exploded in the 1990s. Sensitive data was stored in systems and online. Value moved online, and crime followed. Therefore, passwords had to become more secure. Threats and verticals are always evolving. It’s when a technology falls behind its proportionate threat that the risks become dire.

To achieve that goal, computer scientists turned to cryptology, and terms like “hashing” (developed by a cryptographer named Robert Morris Sr.) and “salting” were introduced as methods of making it more difficult to guess passwords.

Why? Because hacking happens every day to lot of big companies – including Google, eBay, LinkedIn, Yahoo, Microsoft, LastPass, and Facebook. They have had their systems and or databases breached through the years. This compromised data (including passwords) collected from private individuals and even corporate clients. Just recently in June 2021, the so-called “RockYou2021” attack resulted in 3.2 billion leaked passwords from multiple databases. The number of hacking attempts happening in real-time is mind-boggling. With the rise of automation and programs, hackers can just launch attack after attack on companies with little effort. Brute-force attacks can easily guess weak passwords. It only takes one employee with one weak password. Could be a brute-force attack or a reused password.

Password best practices

Did you learn something from the history of passwords? We hope so. Learn from history’s mistakes. Strengthen your passwords ASAP! Don’t wait for a cyber security incident. Be proactive and ready for the fight. Take immediate measures to protect your data online:

• Improving password length on all accounts.
• Increase password complexity.
• Using a totally different password for every account – do not reuse passwords.
• Adopting two-factor authentication before it’s too late.
• Using passphrases, not simple passwords that hackers can crack (guess).
• Use a password manager to better manage your corporate passwords.
• If a suspicious site asks for your password, use your password manager to see if it auto-fills. If it does not, then don’t type your password.
• Never share your password!
• If someone asks your to confirm your password, don’t.
• Don’t write your passwords down.
• Don’t keep a spreadsheet of your passwords.
• Keep up with the latest knowledge of cyberthreats.
• Use a hardware-based authentication method to increase the security factor.

And while passwords may not be the ultimate solution for online security, they’re not going away fast enough. So, create strong passwords. Protect yourself! But more importantly, use a password manager. This way, the IT admin can directly create and enforce strong passwords, without the end user’s involvement. Passwordless, seamless access is the future evolution of passwords.