The password is nothing new. In fact, it has been
around for centuries. Way before Hotmail, Skype and Netflix were prompting you
to create a secure code with a funky username, the Romans reportedly used
passwords as a way to convey important military messages between troops.
Essentially, it was a simple way to protect
information. Fast forward a few thousand years and enter Fernando Corbató.
Widely regarded as the godfather of the modern
computer password, he introduced the idea to computer science while working at
the Massachusetts Institute of Technology (MIT) in 1960.
The university had developed a huge Compatible
Time-Sharing System (CTSS) that all researchers had access to. However, they
shared a common mainframe as well as a single disk file.
To help keep individual files private, the concept
of a password was developed so that users could only access their own specific
files for their allotted four hours a week – hey, computer time was limited
back in the 60s.
Although the password was less than perfect, something
Corbató is the
first to admit, it went on to become the go-to method for computer
security, both in the personal and corporate spheres, due to its simplicity
(although this would later be seen as one of its faults).
Hashing, salt and
cryptology
In those early days of computing, the use of
passwords in this sense was fairly limited, mainly to guys like
Corbató and his team who were among the first to really explore the power of
computers.
However, as the world wide web exploded in the 90s,
more and more people began using the internet on a regular basis, creating
reams of sensitive data and information in the process.
But even before the web went into overdrive, early
computer scientists were working on a way to make passwords more secure. And,
to do that, computer science took a leaf from cryptology.
Working for Bell Labs in the 70s, cryptographer
Robert Morris devised “hashing”; the process by which a string of characters is
transformed into a numerical code that represents the original phrase.
Hashing was adopted in early unix-like operating
systems, which are widely used today across the world in mobile devices and workstations.
Apple’s macOS, for example, uses unix, while the PlayStation 4 uses Orbis OS, a
unix-like operating system.
Adding yet another level of security, modern
password databases can also employ “salting” to further encrypt a password
whereby random data is inserted before the password, and then the
resulting string is hashed.
This, however, doesn’t stop a simple password from
being guessed: the main aim is to stop a leaked password or multiple passwords
(for example, in the event a database has been breached) from being cracked and
used.
But back when Corbató devised the password,
security wasn’t such a huge issue: hacking, as we understand it today, didn’t
really appear until the 80s.
Now, it’s a different story: almost everything is
online.
From banking and shopping, to TV and music, we keep
our data safe with a string of digits and letters. But how safe is it? Even
huge companies eBay and LinkedIn have been attacked in recent years, compromising the
passwords of their users.
The pros and cons
of the password
There are a couple of seemingly intrinsic problems
with passwords. One, it seems to be that short ones are easy to remember but
easier to guess. Two, longer ones are harder to crack but harder to remember.
Keeping so many different passwords can be
difficult too. Just think about how many online accounts the average person
has: online banking, personal email, iTunes, Skype, Amazon … the list goes on
and on.
This has led many people to just use one or two
passwords across the board. This, of course, poses a major problem: if
attackers work it out, they then have access to everything.
Another issue is the choice of the password itself.
Shockingly, SplashData found that a great many people still used
“password” or “123456” as the key to their sensitive data – it’s not going to
take a cybercriminal much effort or time to crack that code now, is it?
The password is dead … long live the password
Passwords do, of course, provide a level of
security, and despite the likes of Bill Gates saying it was dead way back in 2004, most companies with online
portals still use them.
So how can you make your passwords more secure?
Well, there are a few options.
The people behind World Password Day, an initiative focused on improving
password strength, suggest that each account should have its own unique
password to avoid this very issue.
Creating strong passwords in the first place is
also crucial. Codes that combine words and numbers, avoid obvious personal
information and that are eight or more letters in length generally work best.
Users can also adopt a “passcode” strategy for
increased security or adopt two-factor authentication, where a password is only one step in
gaining access to sensitive data.
Further, moving beyond passwords is recommended –
passphrases, for example, offer users better security courtesy of longer and complex
sentences, while still being easy to remember.
“The three golden rules to
ensure computer security are: do not own a computer; do not power it on, and do
not use it.”
If all this password malarkey seems a bit much, you
could take a leaf from the late cryptographer Robert Morris (father of Robert
Morris Jr, author of the Morris Worm). Besides his contributions to
password hashing the above tips, he had a slightly more unusual suggestion for
computer security:
“The three golden rules to ensure computer security
are: do not own a computer; do not power it on, and do not use it.”
A little too extreme perhaps …