Lord777
Professional
- Messages
- 2,576
- Reaction score
- 1,543
- Points
- 113
Despite the fact that Microsoft has been actively promoting the concept of a "passwordless future" for many years, it is still difficult to believe in the amazing new world. Could there be something more unshakable and permanent than checking "friend or foe" using a code word? We figure out how passwords appeared, spread and why IT corporations are planning to abandon them.
Life and death password
Code phrases in the form we are accustomed to were used at least 200 years before the birth of Christ, already in ancient Rome. From those wishing to enter the territory of the cities, they demanded a specific phrase, which the sentries received on a wooden plate. What is funny, even then, a kind of analogue ancient Roman blockchain was used - during the transfer of the tablet, it was always known which group of people it was right now, and if at the right time it did not return back for regular "verification", this group of people was in serious trouble.
The next logical step in the evolution of analog passwords was end-to-end encryption. In many military operations (for example, the Battle of Normandy), the key part of communication was not only knowing the password, but also knowing the answer, which changed as often as possible. Practically comparing emoji in secret Telegram chats.
First digital password and first leaks
The operating system where password login was introduced was the Compatible Time-Sharing System (CTSS), developed at MIT. One of the main tasks in the course of its creation was the distribution of the most valuable resource - the time during which people could work with the system. After entering the password, a person could work for four hours, during which it was necessary to have time to complete a maximum of tasks.
When entering the password, there was even an analogue of modern "asterisks": if it was possible, the system turned off the printing mechanism for greater privacy during input.
Of course, the name of the "father" of the concept is also known. This is Fernando Corbato, the head of the team that created the CTSS. It's funny that, although the goal was to ensure information security, the secure storage of the passwords themselves was not provided. The reason is simple: the computer systems of that time did not have a lot of resources, and it was wasteful to spend them on solving this problem. “Nobody wanted to devote too many machine resources to authentication tasks,” Corbato recalled. Of course, with such initial ones, the first security incidents simply could not fail.
They happened in the early 1960s. One of the employees found that the password master file can simply be printed by issuing the appropriate command. A simple and obvious way to bypass protection. The first documented case of one hundred percent compromise of the user base of one "service".
And in 1966, someone confused the OS welcome message and the master file with passwords. That is, anyone who logged into the system had access to all employee data. According to Corbato's recollections, there were even people who took advantage of this. Nothing criminal: just for the sake of a joke, employees entered the files of colleagues and left various messages there. Such is the trolling on huge computers of the 1960s. The ability to store passwords in Unix operating systems in hashed form appeared only in the 1970s.
Back to basics
The next stage of evolution is the managers for all services. They helped popularize the opinion that writing down the master password on paper and putting it in a safe place is the best thing to do here. There are only two arguments in favor of this, but they sound very logical.
Password as evil
Interestingly, in 2014, Corbato described his password system as a "nightmare." According to him, at the time of creation, they could not foresee the emergence of the Internet in its modern form. In his opinion, the situation is obvious: no one can memorize many different complex words for all the necessary services, so one of two things happens in the real world. Either people use memory crutches, which seriously diminish the effectiveness of the concept, or they use managers that Corbato also does not consider to be reliable.
"Passwords do not provide a super-high level of security, but they are sufficient to protect against accidental snooping," - so Corbato assessed the reliability of the system as such at the end of life. Tellingly, Bill Gates predicted a "quick" death of passwords (for the same reasons) back in 2004, but they are still with us.
According to Corbato himself, he had about 150 passwords from various services, and he used various tricks to remember them. In July 2019, he died at the age of 93.
Apparently, at this point the history of passwords ends, and they may be reborn into something more reliable and interesting. Of course, getting rid of passwords is not a quick process, but if the idea takes root, in a few years we will be able to feel the results of the changes. I wish they were positive.
Life and death password
Code phrases in the form we are accustomed to were used at least 200 years before the birth of Christ, already in ancient Rome. From those wishing to enter the territory of the cities, they demanded a specific phrase, which the sentries received on a wooden plate. What is funny, even then, a kind of analogue ancient Roman blockchain was used - during the transfer of the tablet, it was always known which group of people it was right now, and if at the right time it did not return back for regular "verification", this group of people was in serious trouble.
The next logical step in the evolution of analog passwords was end-to-end encryption. In many military operations (for example, the Battle of Normandy), the key part of communication was not only knowing the password, but also knowing the answer, which changed as often as possible. Practically comparing emoji in secret Telegram chats.
First digital password and first leaks
The operating system where password login was introduced was the Compatible Time-Sharing System (CTSS), developed at MIT. One of the main tasks in the course of its creation was the distribution of the most valuable resource - the time during which people could work with the system. After entering the password, a person could work for four hours, during which it was necessary to have time to complete a maximum of tasks.
When entering the password, there was even an analogue of modern "asterisks": if it was possible, the system turned off the printing mechanism for greater privacy during input.
Of course, the name of the "father" of the concept is also known. This is Fernando Corbato, the head of the team that created the CTSS. It's funny that, although the goal was to ensure information security, the secure storage of the passwords themselves was not provided. The reason is simple: the computer systems of that time did not have a lot of resources, and it was wasteful to spend them on solving this problem. “Nobody wanted to devote too many machine resources to authentication tasks,” Corbato recalled. Of course, with such initial ones, the first security incidents simply could not fail.
They happened in the early 1960s. One of the employees found that the password master file can simply be printed by issuing the appropriate command. A simple and obvious way to bypass protection. The first documented case of one hundred percent compromise of the user base of one "service".
And in 1966, someone confused the OS welcome message and the master file with passwords. That is, anyone who logged into the system had access to all employee data. According to Corbato's recollections, there were even people who took advantage of this. Nothing criminal: just for the sake of a joke, employees entered the files of colleagues and left various messages there. Such is the trolling on huge computers of the 1960s. The ability to store passwords in Unix operating systems in hashed form appeared only in the 1970s.
Back to basics
The next stage of evolution is the managers for all services. They helped popularize the opinion that writing down the master password on paper and putting it in a safe place is the best thing to do here. There are only two arguments in favor of this, but they sound very logical.
- If you store your password in a truly secure place, it is highly unlikely that someone will break the laws of your country to steal it.
- You will surely make your master password long and unique so that you don't forget it for sure. It's hard to be light on your own safety. And that is why there is a high risk of forgetting it one day. And in this case, recovering all passwords (of course, also complex and unique) for all its services will turn into a serious problem.
Password as evil
Interestingly, in 2014, Corbato described his password system as a "nightmare." According to him, at the time of creation, they could not foresee the emergence of the Internet in its modern form. In his opinion, the situation is obvious: no one can memorize many different complex words for all the necessary services, so one of two things happens in the real world. Either people use memory crutches, which seriously diminish the effectiveness of the concept, or they use managers that Corbato also does not consider to be reliable.
"Passwords do not provide a super-high level of security, but they are sufficient to protect against accidental snooping," - so Corbato assessed the reliability of the system as such at the end of life. Tellingly, Bill Gates predicted a "quick" death of passwords (for the same reasons) back in 2004, but they are still with us.
According to Corbato himself, he had about 150 passwords from various services, and he used various tricks to remember them. In July 2019, he died at the age of 93.
Apparently, at this point the history of passwords ends, and they may be reborn into something more reliable and interesting. Of course, getting rid of passwords is not a quick process, but if the idea takes root, in a few years we will be able to feel the results of the changes. I wish they were positive.
