Passwords themselves are much older than any computer, dating back to ancient times, when a password, or watchword, was used to indicate membership of a select group.
Indeed, secret societies were known in cultures as far back as ancient Egypt, but it was the Roman military - who else? - that took passwords to a new level of sophistication.
The Greek historian Polybius records how a watchword was distributed amongst Roman guards on night watch duty: every day the senior officer would choose a word and have it inscribed on a number of wooden tablets or tesserae. A watch commander - the tesserarius - would bring a tessera back to his unit and silently pass it around his fellow officers in front of witnesses to verify who had seen it before it was returned to whence it came. Each tessera had a unique mark on it, and if the full complement of tesserae were not returned by nightfall, any unfortunate soldier who misplaced one was identified and duly punished.
Historically, passwords were also used as a means of keeping secrets, as well as for identification.
In order to protect correspondence between cardinals in 16th century Renaissance Italy, Giovan Battista Bellaso published a method for encrypting messages based on letters contained in a password or phrase. The receiver of the message would need to know the password to decrypt the message and, if the password was sufficiently long, the cipher was regarded as unbreakable.
A few years later, French diplomat Blaise de Vigenère invented a similar cipher. However, in an accident of history, Bellaso’s method became known as the Vigenère cipher, while Vigenère’s is called the autokey cipher.
Passwords first met computers in the early 1960s when operating systems like MIT’s CTSS and Multics began to offer multiple “users” simultaneous access to one machine. And, right from the start, we’ve had password hacks: really, amazingly epic password hacks.
Users accessed CTSS via a teletypewriter, and system administrators could set a “message of the day” to welcome them, which was printed out when each user logged in. To keep things simple, user names and their passwords were kept, unobscured, in another text file which system administrators would edit to set passwords for different users.
It so happened that, one day, two administrators were on the system - one editing the message of the day, and another changing the password file. An unfortunate bug in the system’s text editor meant that, when the password file was saved, it overwrote the message-of-the-day file. Users logging in to the system were then - to their horror or delight - greeted with a full dump of every password in the system. The details are recounted in CTSS designer Fernando Corbató’s paper “On building systems that will fail”.
In my next post we’ll look at ways of defending against this sort of (intentional or unintentional) password leakage, and how they affect your chances when hackers attack. In the meantime, you can find means of securing your sensitive information significantly more sophisticated than wooden tablets and printed password files here.