Tech Talk

Cracking the password problem

123456. 123456789. 12345. qwerty. password. 12345678. 111111. 123123. 1234567890. 1234567. Those were the ten most used passwords in 2021. There’s a good chance you’ve used one of them at some point, frustrated by the proliferation of online accounts each demanding that you come up with a password to access it. None of those options takes more than a second to crack. According to a survey by Google, 65% of people use the same password for multiple accounts and I suspect there are a lot of liars in the remaining 35%.

When computer passwords were originally developed it was all so much simpler. They were first implemented in 1961 by Fernando José “Corby” Corbató at MIT when he led the development of the Compatible Time-Sharing System (CTSS), one of the world’s first operating systems. With multiple people using the same computer, passwords were a means of keeping their files separate and private.

Corbató – who died in 2019 – explained to Wired: “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files. Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

But even that straightforward solution led to situations that presaged the leaks and hacks that were to come in the internet age. In 1966, a software bug switched out the system’s welcome message with the master password file meaning anyone who logged in was presented with the entire list of CTSS passwords. The first hack came four years earlier, though it took almost 50 years for the perpetrator to confess.

In a 2011 pamphlet published to commemorate the creation of CTSS, Allan Scherr, who went on to be a major figure at IBM, confessed that he’d stolen passwords to get more than his allotted four hours per week using the computer. His trick? He’d simply printed out all the passwords. He wrote:

“There was a way to request files to be printed offline by submitting a punched card. Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.”

Scherr’s attempt to spread the blame around – handing passwords over to other users – even led to an early case of trolling when JCR Licklider (who went on to be a major figure in the development of visual computing and the Internet) logged into the account of the lab’s director Robert Fano to leave him “taunting messages”.

I don’t think anybody can possibly remember all the passwords that are issued or set up

Speaking to The Wall Street Journal in 2014, Corbató said that he and his team had not foreseen how ubiquitous passwords would become or how they would come to be used on the Internet. He explained:

“Passwords are not a super-high level of security but are enough to protect against casual snooping… Unfortunately, it’s become kind of a nightmare with the World Wide Web. I don’t think anybody can possibly remember all the passwords that are issued or set up. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager… I have to confess, I use a crib sheet.”

But Corbató’s accidental nightmare may be fading. The FIDO Alliance, a tech industry group, has been working on standards to ditch passwords for over a decade and Apple announced its implementation of them at its annual developer conference in June.

Apple’s version of passkeys – password-less logins – will launch across iPhones, iPads, Macs, and Apple TVs in September. The idea is that using your fingerprint or face will create an encrypted passkey and when you return to that website or service you’ll get a prompt on your phone, tablet, or computer so you can verify your identity.

While Apple is first out of the gate, Google and Microsoft will soon announce their own versions. When all three have implemented passkeys, it should be possible to use the system across different devices, say logging into your Windows laptop with your iPhone.

There are still unanswered questions. Will you be able to easily transfer your passkeys if you decide to ditch Apple in favour of an Android phone? And how long will it take to persuade developers to implement the system across thousands of websites? If the reality of passkeys is clunky, people will stick with insecure but easily understandable passwords.

Another problem, though, is that not everyone has access to a device with a fingerprint sensor or facial recognition. The tech industry’s promise that the password is nearly dead may yet turn out to be the latest dimension of the digital divide with the rich able to rely on stronger biometric security while the poor are stuck relying on their memory.

It turns out that solving the problem of passwords is a lot harder than 12345.

Mic Wright is a freelance writer and journalist based in London. He writes about technology, culture and politics


Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Related Posts