The evolution of the password — and why it’s still far from safe
By Rebecca Hiscott From Mashable
Just a decade ago, password theft seemed the province of poorly protected Hotmail accounts and AIM screen names. These days, virtually every company with access to our personal data, from Target to The New York Times to Facebook and Gmail, has been hacked. The password is the sentry that guards this mass of sensitive data — credit cards, addresses, social security numbers — and yet, more than 50 years since its invention, researchers and developers are still figuring out how to fix what has always been a little bit broken.
The first computer password was developed in 1961 at the Massachusetts Institute of Technology, for use with the Compatible Time-Sharing System (CTSS), which gave rise to many of the basic computing functions we use today. CTSS was designed to accommodate multiple users at once, with the same core processor powering separate consoles. As such, each researcher needed a personal point-of-entry into the system.
“The key problem was that we were setting up multiple terminals, which were to be used by multiple persons but with each person having his own private set of files,” Fernando Corbató, the head of the CTSS program, told Wired. “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”
These first passwords were simple and easily stored, since sophisticated hacking networks and password-cracking programs did not yet exist. But the system was also easily duped. In 1962, Allan Scherr, a Ph.D. researcher with access to CTSS, printed out all of the passwords stored in the computer, so he could use CTSS for more than his four-hours-per-week allotment.
“There was a way to request files to be printed offline, by submitting a punched card with the account number and file name,” Scherr wrote in a document commemorating CTSS. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed… I could then continue my larceny of machine time.”
Image: Flickr, marc falardeau
As operating systems became more complex and their use more widespread, password security jumped in priority. Cryptographer Robert Morris, the father of Robert Tappan Morris, who inadvertently created the infamous Morris worm, developed a one-way encryption function for his UNIX operating system, known as “hashing,” which translated a password into a numerical value. The actual password was therefore not stored in the computer system, making the information less readily accessible to hackers. The encryption strategy that Morris implemented for UNIX appears to have been conceived by R.M. Needham at Cambridge in the 1960s.
Modern UNIX-based systems such as Linux use a more secure version of the early hashing algorithm. Nowadays, “salting” a password by appending unique characters before running it through a cryptographic function also bolsters its defense against attacks.
However, lists of hundreds of commonly used hashes — passwords that are still encrypted, but can be guessed — have appeared online in the past few years, mined from hacked sites like LinkedIn and Gawker, making the encryption that much easier to crack.
“During the formative years of the web, as we all went online, passwords worked pretty well,” Wired editor and hacking victim Mat Honan wrote in 2012. “This was due largely to how little data they actually needed to protect… Because almost no personal information was in the cloud — the cloud was barely a wisp at that point — there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.”
Now, personal data ranging from our favorite TV shows to our credit card numbers can be found online Now, personal data ranging from our favorite TV shows to our credit card numbers can be found online, all of it protected by a password — a rather impotent sentinel, as it turns out.
For starters, even today, not all websites use password encryption. Some programs still store passwords as plaintext, meaning they are readily available in their original forms in the system. If a hacker gains access to a site’s master list, hundreds or thousands of passwords, and all the personal data they prtect, can be exposed in an instant.
Hackers generally mine human weaknesses to guess passwords. According to this year’s Data Breach Investigations Report, 76% of network intrusions were carried out by compromised user accounts. More often than not, an account is hacked because the user employs the same password for multiple accounts or has an alarmingly simple password (“password” inevitably turns up on the list of most common phrases). Dictionary attacks — where a program cycles through a database of common dictionary words — can effortlessly crack these simplistic passwords.
As such, most websites that require password authentication ask for more complicated combinations. For instance, the user might have to compose a password that includes upper- and lowercase letters, as well as digits and special characters. Users are commonly advised to use different passwords for every website they access, and to avoid ever writing them down.
But at a time when Internet users log on to as many as 25 password-protected sites per day, remembering a different 14-character password for each is a Herculean mental exercise.
” The reality is, we have a system that not only is insecure but it’s totally unusable. The reality is, we have a system that not only is insecure but it’s totally unusable. Most people just throw up their hands and don’t bother with good password hygiene,” Jeremy Grant, a senior executive advisor with the National Strategy for Trusted Identities in Cyberspace, tells Mashable. “It’s good to have that complex 12- to 18-character password, but from a usability perspective, most people don’t have the patience. Instead, they have one or two passwords that they use everywhere.”
Even the most secure passwords are vulnerable to a slew of attack strategies, including brute-forcing — when a hacker or computer program cycles manually through every possible combination of characters — and malware, which covertly gains access to a private computer in order to gather personal data. Hackers might pose as their target using personal information such as his address and phone number, which is easily found online, in order to take over his personal accounts. Phishing schemes can take down even the strongest passwords, simply by tricking the user into entering her password on a fake site.
No wonder Bill Gates declared the password dead in 2004.
A sampling of the passwords we use every day.
In the last decade, startups and researchers have proposed appropriately futuristic methods to strengthen passwords, or replace them entirely. These range from password management tools like LastPass and 1Password to personal data lockers, which centralize and encrypt passwords and other personal data, to image-based or gesture-based verification systems.
Some companies have already instituted secondary security measures for their employees, for example, by carrying around a small chip that acts as a security key. Similarly, Google recently revealed plans to encrypt data in a small USB key or ring that could act as a password for some devices.
These more advanced methods are promising, but none seems to have developed much traction yet. Biometric password devices like the Nymi wristband, for instance, still possess a significant flaw: Biometric information is irreplaceable, and if it is duplicated or stolen, “you can’t exactly reset your heartbeat,” Wired notes. Fingerprint scanners face the same problem. “It is hard to fake a fingerprint, but not so hard that I’d be willing to use a fingerprint alone to authenticate me at a bank,” Vijay Pandurangan, one of the founders of the password management app Mitro, tells Mashable.
Recently, two-step authentication systems like the one Google employs have added an extra layer to password security by requiring verification from two separate sources, in this case a password and a code delivered via SMS. However, intrepid hackers — of which there are many — can game the system by first acquiring access to the target’s phone, which is not that difficult given the right set of tools.
Nevertheless, two-step authentication is likely the key to future password security. Passwords are deeply ingrained in web culture, and expecting an entire generation to learn and accept another system of validation may be unreasonable. But multi-factor authentication — a system that would require passwords plus a code obtained via text message plus a fingerprint, or something variation thereof — could be the solution. In theory, the more information a login attempt requires, the less likely it is that a hacker will be able to assemble all the necessary puzzle pieces.
“The best security solutions we see these days are ones that layer in several elements, so if one is compromised it doesn’t break the whole system,” says Grant. “If I’m just logging into my Gmail account, I have my password and I have Google’s authentication app. If I’m logging in to, say, my health records or a bank, I may want to turn on something else, [for example] phone-based biometrics. The smartphone is really offering a solution to some of the barriers we’ve seen in the past.”
The problem with truly reliable multi-factor authentication may be that the safest methods would also require significant sacrifices in terms of convenience and privacy, according to Mat Honan. The type of information needed might be far more invasive than we are comfortable with. “The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA,” Honan wrote in Wired.
But, as Grant points out, anything that appears too invasive will be rejected by consumers. Future security measures will have to incorporate sophisticated technology without inconveniencing the user. The NSTIC has seen promising new developments in geolocation, for instance. In the future, devices may instantly recognize when a user is logging in from an unfamiliar country and switch on additional security features. You may have already experienced an early version of this when trying to log into Facebook from a computer with an unknown IP address.
If we continue to dump personal information online at the same staggering rate, we may be forced to accept certain sacrifices of convenience and privacy, at least in the interim. For now have little choice but to wait and see, and to strengthen our existing passwords in the meantime.
Have something to add to this story? Share it in the comments
Image: Mashable composite.
For more on this story go to:
