Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound patterns (Allies used a clicking technique called the “cricket” on D-Day) for many years. Again, someone knows this password, it could potentially be compromised, and then anyone can hypothetically masquerade as the legitimate user. All the way back in these historical periods, having a shared password seemed totally fine…and we wonder why we have problems today!
Obviously, passwords are now more associated with systems and applications. One of the first true computing environments, MIT’s Compatible Time Sharing System (CTSS) was introduced in 1961 with a LOGIN command that asked for a user’s password. The user would type in PASSWORD so that any printing mechanisms would temporarily stop, allowing the actual user password to be entered in privacy. The evolution of passwords just continued from there, starting with Robert Morris and the UNIX password hashing system, development of the crypt encryption utility that leveraged a 12-bit salt and used 25 rounds of DES for protection, and the inevitable creation of Microsoft’s LANMAN and NT hashing algorithms that are still widely seen today.
What’s at the core of the problem with passwords and their use as an authentication mechanism? We’re largely reliant on the system users themselves, and secretly everyone hates passwords. The earliest computer hackers hated security and passwords - they just wanted to program and make computers do cool things. Later users just wanted to get their jobs done quickly - passwords were a nuisance. Today, the attitude is somewhat different - people recognize why passwords are important, but they STILL HATE THEM. People look for the simplest and easiest way to get past the password prompt so they can get access to the stuff they want, and they’ll go to surprisingly great lengths to make this easier for themselves whenever possible.
We’ve tried desperately to improve password security and password authentication overall. We’ve implemented password policies that demand length, complexity, originality, and sometimes your first-born child. We’ve forced more complex and sophisticated algorithms into use within our environments, sometimes necessitating updates and upgrades to existing technology. We’ve begged and cajoled users to create passphrases that have some personal meaning to them. Security awareness programs now include discussions about passwords and password policies by default. In light of all this effort, you’d think passwords would be getting better, people would be helping us protect them, and that the attackers’ jobs would be harder. Alas, we’re wrong. People re-use passwords everywhere. Their passwords still suck. They still write them down, forget them, share them, and give them away to needy Nigerian princes. Will this madness ever stop? Is there a better way? Sure there is…and you can find out more by checking out our webcast on the topic on February 24th - see you there!
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.