The history of passwords
The first password failed.
No, we don’t mean Ali Baba and the “Open, Sesame!” -call he overheard. And we don’t know if the elaborate system of watchwords used in Ancient Rome always worked. We’re thinking of those passwords that give you access to online data.
The origin of the first computer password is murky, but most experts date it back to the 1960s. Back then, researchers at the Massachusetts Institute of Technology (MIT) built the now legendary time-sharing computer called CTSS. Without it, things like email, virtual machines, instant messaging, and file-sharing would be unthinkable today. The CTSS had two 32,768 (32K) 36-bit-word core memory banks and allowed multiple users to log into it from remote dial-up terminals. You could also store files online on a disk. That encouraged users to share information in new ways. Fernando Corbató, the head behind the project, is still not sure if they were the first ones to use a password, but he knows why he came up with it:
“The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files. Putting a password on for each individual user as a lock seemed like a very straightforward solution.”
But even then, passwords weren’t safe: one researcher at the time wanted more than his four allocated hours of use on the machine. He found the weak link in the system and submitted a punched card which allowed him to print out the passwords of all users. He then shared his list with others. Luckily, that wasn’t too dangerous back then, as few people even had access to CTSS. Cybersecurity wasn’t in its infancy; it didn’t exist.
Today, around 300 billion passwords are used worldwide. And that’s where the problem begins.
Password fatigue
Theoretically, it shouldn’t be hard to come up with a safe password. In practice, the average person now has to remember dozens of passwords for different accounts, from apps to email. As a result, many people use the same passwords from multiple accounts. This so-called password fatigue is widespread and can have serious consequences, especially when these passwords are easy to hack. And with 24%of Americans using passwords like “password,” “Qwerty,” and “123456”, chances are high that they or their employers will have to suffer a data breach. 50% of people even use the same password for all their accounts. If a company doesn’t protect its customer data, things can get really expensive: Besides the enormous image loss, they could be fined for non-GDPR compliance. That can cost up to €20 million (about £18 million) or 4% of annual global turnover – whichever is greater. If multiple people have access to internal information, one weak password is all it takes for hackers to access your data.
How many data breaches are caused by passwords?
According to a Verizon report, poor or reused passwords are responsible for 80% of data breaches. More than 1 million passwords get stolen every week. Even worse, one weak password can bring an entire system down. Many companies still share passwords via email- the equivalent of writing them on a postcard.
Hive has produced a password table that shows you exactly how many seconds it takes on average to crack a password. If yours has fewer than six characters, you should be worried: It can be cracked almost instantly. But even passwords that are 8-character passwords take only around 39 minutes to get cracked.
How to create a good password
A good, secure password needs to have the following:
- It is at least 12 characters long; the longer, the better.
- It uses mixed characters such as uppercase and lowercase letters, numbers and special symbols.
- It doesn’t have memorable keyboard paths.
- It doesn’t include personal information.
- It isn’t used for any other account.
The NCSC advises to pick three random words, join them together and replace some letters with symbols or numbers. That way, the password is easier to remember whilst still safe enough to deter hackers. But looking at all these requirements, it is no wonder that most internet users fail to create such passwords. The average person can only remember seven digits, let alone passwords with special symbols. So, is there a safer and easier way to protect your data in the future?
Does a password manager help?
It sounds great: an app stores all your passwords in one safe place so you don’t need to remember them. That has many benefits; you can use longer, safer passwords without worrying you will forget them. Your passwords get synced across all devices. And their AI is better than humans at detecting phishing sites, providing an extra layer of security. But password managers carry a risk: As they keep all your information in one place, a security breach would expose all your passwords in one go. The results could be catastrophic. As they are so valuable, they are a preferred target for hackers- an additional security risk.
What about Multi-Factor-Authentication (MFA)?
As hackers become more sophisticated, a password is not enough to deter them. Enter Multi-Factor- Authentication (MFA). MFA requires you to provide two or more verification factors to gain access to a system. At present, most companies require two types of authentication such as a password and a one-time pin. But a new study suggests this method isn’t as safe as it sounds. Hackers “mirror” an online site that exchanges cookies with the visitor, then steal the data.
The future of passwords
Cybersecurity faces two challenges: more users expect faster and better user experiences and easy logins, while the danger of hacking increases year by year. Thanks to smart homes, we are now vulnerable to cyber attacks in our homes and at work. The increase in working from home has accelerated this trend. Why are we commemorating an extremely faulty mechanism that keeps us vulnerable when safer, easier and faster alternatives exist?
Abandoning the password in favour of MFA like MIRACL Trust will make for a better user experience and protect your assets. MIRACL leaves your customer data in your hands. We authenticate users without their personal information, making login more secure. Login is almost instant, and it prevents 99.9% of all attacks. We think it does a great job.
If you would like to know more, our newsletter is a great way to get to know us- you can subscribe here.
