The Case of the Purloined Password
BRG is home to renowned thought leaders and experts considered authorities in their fields of work. Our timely research and perspectives provide analysis and insights on the most important issues facing the industries and organizations we serve.
You may be surprised to learn that the first recorded use of passwords to gain access to a computing system occurred back in 1961. You may be less surprised to learn that this landmark moment in computer history almost immediately led to another landmark: the first computer passwords to be stolen. And the story of how the first computer password became the first password hack has lessons to teach us today.
The first password — and the first hacker
MIT’s Compatible Time-Sharing System (CTSS) was a pioneering computer science research project. Under the direction of mastermind Fernando Corbató, the CTSS team developed many fundamental computing features we take for granted today, including email, file sharing and instant messaging. As the name implied, the CTSS was intended to provide a working environment for multiple users who would share access. Because each user had his own research domain and files, the CTSS needed to be able to distinguish between them and to present them with only the materials authorized to them.
The simplest, least processor-intensive solution was to have each user authenticate himself with a unique password, which the CTSS would verify against a master password file. Corbató and his team did not realize how innovative this was. They assumed that someone else must have tried something similar. But we know now that this is where the history of password security begins.
One of the CTSS researchers was a PhD candidate named Allan Scherr. He felt the measly four hours per week he was allotted on the system wasn’t enough for him to complete his work. So he set out to find sneaky ways to get more time. Because one of his projects entailed running certain measuring calculations on the operating system, he had a privileged level of access. For years, he used this privileged access to insert clandestine code into the system that effectively zeroed out any record of his time usage. As long as that code stayed, he could enjoy effectively unlimited access without discovery.
In 1966, that phase of Scherr’s research concluded, and he lost his privileged access. No longer able to run the computer’s odometer backward to erase the record of his use, he was again relegated to just four hours a week.
But Scherr was a wily scientist. He figured out that it was possible to print files by submitting a simple system request, and that nothing prevented him from submitting such a request to print out the master password file. One weekend in the spring of 1966, Scherr did just that, obtaining a complete list of everyone else’s passwords and becoming the first computer password hacker.
In an especially clever flourish, he gave copies to a few other users, to make it harder for unauthorized access to be traced back to him alone. Until he confessed at the 25th anniversary of CTSS, nobody suspected Scherr’s hack. Instead, the scientists had widely written off the password breach as a software bug. Scherr has told the story many times since, including in official publications commemorating the CTSS.
The history of passwords clearly shows the security flaws
For his part, Corbató thinks the entire story demonstrates the limitations of password security. In a 2014 interview with the Wall Street Journal, he dismissed passwords as “kind of a nightmare.”
“I don’t think anybody can possibly remember all the passwords that are issued or set up,” Corbató told the Journal. “That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”
Corbató’s team never thought they were implementing high-level security measures—their password use was just a mechanism for keeping users’ files distinct. As Scherr’s mischief showed, passwords are easily breached—and little has changed in the world of computer security passwords since the 1960s. Users often find them to be an annoyance, while determined cybercriminals routinely find them to be an easy-to-crack barrier.
Perhaps one day, a better form of security will replace the password, but until then, business and technology leaders need to remain alert to the limitations of password security. Without regular, effective training and robust, proper policies and well-maintained cybersecurity processes, passwords make for a weak level of protection against today’s hackers.
That was true in 1961, and, as far as computing has come, it’s still true today.
This article was originally published in the November 2018 issue of ThinkSet.