The Use of Passwords

Although the real history of computer passwords is shrouded in mystery, like a lot of great inventions we take for granted, the first password was probably used at MIT in the mid 1960s when researchers there built a massive time-shared computer called CTSS. The CTSS system pioneered many of the network things we now take for granted like E-mail, virtual machines, instant messaging and file sharing.

Because the system was time-shared and each user had access to his own set of files, the need for a password was a no-brainer. The system could have used knowledge-based verification, like some bank systems now use–answering questions with facts nobody else would know, like your mother’s maiden name, for instance. But knowledge-based systems require a lot more storage than passwords, and that mattered in those days.

The first data breaches:

In 1962 an MIT computer researcher named Allan Scherr, who was allotted four hours a week of computer time, didn’t have enough time to run the simulations he needed. Scherr admitted years later that to acquire more time, he simply printed out the entire list of passwords stored on the system and used other people’s time.

In 1966, a software bug tangled CTSS’s welcome message and its master password file so that anyone who logged on was greeted not by the welcome message but by the entire list of passwords.
Researchers are only now beginning to look for serious alternatives to password systems.

Half Measures:

The method Microsoft has selected for its Surface and Windows 8/10 operating systems is one step removed from the conventional password. Once you have established a Microsoft account including a Windows password, you can opt to use a four digit pin code, a picture login, or a combined picture and finger drawing “gesture” based system on touchscreen-capable systems. The system is sensitive to the picture, the drawing shape and the location of the drawing on the picture. You can actually opt to go straight to the pin to log in quickly in Windows 10. The picture/gesture solution contains considerable information and would be very hard to guess with any “brute force” code-breaking system.

FIDO Compliant Solutions:

Passwords have been getting so complex that users often can’t remember them. Many users have so many passwords for different sites that they mix them up or rely on data-base software to remember them.

The use of passwords remains a top security problem, according to the Fast Identity Online (Fido) Alliance ISSE 2015 conference. The concern was distinctly stated by Google Germany’s public policy manager Sandro Gianella.

“We need to move away from passwords, and this is something the whole industry can rally around to drive things forward.”

Biometrics makes use of the assumption that everyone’s measurable biology is unique enough that duplication would be a very rare occurrence. Biometric authentication systems based on fingerprint readers, face, hand, retina, or ear features have been tested. Behavioral features such as typing rhythm, gestures, or voice quality are also candidates for application.

The one-time passcode system (OTP) is a potential alternative. This is an automatically generated numeric or alphanumeric string that authenticates the user for a single transaction. The OTP is received on a pocket-sized fob with a small screen that displays the code. The number changes every 30 to 60 seconds. For two-factor authentication, the user enters a user id, a PIN number and the OTP to gain access.

Google has led the way toward a FIDO compliant password-free authentication system using a USB security key. This extra piece of hardware simplifies the system of two-factor authentication that sends a verification code to a cell phone or e-mail. There is no need to re-type verification codes, you simply insert your security key into your USB port when asked. This small receiver device can be attached to a keychain and carried with you for use anywhere.

With 20 years of experience, BWS can provide answers for help desk, network services, desktop management, customized imaging, accounting, security, and hardware needs. Please contact us to find out more.

  • 03/14/2016
  • IT