When Did We Start this Password Thing?

January 27, 2012

I’ve talked many times here about the problems with passwords as a means of authenticating computer users (most recently here and here), and about the search for better alternatives.  Just a few days ago, I mentioned DARPA ‘s Active Authentication project to develop new methods of authentication.  How did this all get started, anyway?

Wired has posted an article, by Robert McMillan, that attempts to answer this question.  It’s amusing to reflect on some of this history, and perhaps it holds a few lessons, too.

As the article points out, the idea of passwords in general has a long history, going back at least to the Romans.  However, it is not entirely clear when the idea was first applied to computer system access.  One possible candidate is the SABRE Reservation System, developed by IBM for American Airlines in 1960.  But McMillan thinks the most likely candidate is the Compatible Time-Sharing System [CTSS], developed at MIT in the mid-1960s. under the direction of Fernando Corbató.   (The photo accompanying the article, showing Corbató standing amidst the system’s equipment, is perhaps of interest to historians of computers or fashion.)

It probably arrived at the Massachusetts Institute of Technology in the mid-1960s, when researchers at the university built a massive time-sharing computer called CTSS. The punchline is that even then, passwords didn’t protect users as well as they could have.

The article goes on to suggest that even in CTSS, passwords were something of a security failure.  I think this argument is a bit unfair.  The two security breaches cited in the article were both the result of someone obtaining a copy of the password file, either due to a system error or deliberate subterfuge.  (The password file was, apparently, not encrypted, of which more anon.)  Criticising the use of passwords based on attacks of this kind is like criticising a lock because the burglar opened it with a stolen key.  The lesson to be taken away from these examples is that effective security is a system, not a particular technology.  No matter how good your passwords are, someone who can steal a list of plain text passwords (or capture them with a keystroke logger) can still access your system.  Similarly, being careful with passwords while leaving an unencrypted copy of the password file accessible will not protect you, any more than putting three deadbolt locks on your door while leaving the windows open.

Having an authentication system that is better, in principle, than passwords, is a good thing.  At the time CTSS was developed, though, passwords could have provided effective security had there not been some serious goofs in the implementation.  (We should also remember the very limited resources of that system, by today’s standards.  A system that would take 30 minutes to process a login would not be worth much, although it might be very secure.)   Also, the history of security systems seems to show that, even with a “provably secure” system, like one-time pad cryptography, implementation and user errors can create embarrassing failures.


%d bloggers like this: