The first password to be hacked

Learn more about the history of passwords, and the first one which was hacked.

Authors

Published: May 4, 2023


Happy world password day! This is a great day to change your passwords on important accounts such as banking, email or social media systems.

World Password Day is the first Thursday in May every year. Inspired by security researcher Mark Burnett, this is a yearly reminder to change your important passwords. This will help protect your accounts if there is a data breach. Password data can remain in the world for a long long time, but changing a password for an important account immediately helps secure it.

Choosing a good password as well as enabling multi-factor authentication will ensure that your data remains secure.

The first online password

Passwords, which are secrets used to gain access to systems, have been around for thousands of years. The Romans used watchwords and had a specific position in the army, the tesserarius, which was responsible for obtaining and sharing these secrets.

Gratuitous picture of the Roman Colosseum.

But the first password in an online system was for the MIT Compatible Time Sharing System (CTSS) at MIT, which was demonstrated in 1961. CTSS was the first general purpose time sharing operating system. That is, the first computing system with which more than one person could interact.

It was also the first system to have passwords. Fernando Corbató, who demonstrated the system in 1961, was responsible for passwords. From an interview with Wired magazine in 2012:

“The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files,” he told Wired. “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

The password based system didn’t only control access to a user’s files, but also to their time on the system. In the 1960s, compute time was very expensive, so students and faculty were limited.

The first password hack

It didn’t take long for the first password system to be hacked. According to Thinkset Magazine, one of the graduate students, Allan Scherr, wasn’t happy with the limits on his computer time. He needed more time to do his research, and felt he should have it.

In 1966, he discovered that he could print out files, including the master password file, with a system request. When Scherr did that, he obtained access to all the passwords of all the users on the system.

Scherr didn’t keep these passwords to himself, however. He shared the printouts with others to make it more difficult to track him down. Plus, other folks probably enjoyed the extra computational time. (Scherr didn’t reveal his actions until decades later, at a college reunion.)

Scherr will be forever known as the first password hacker.

Pick a long password and hash it well

Nowadays, passwords aren’t stored in plaintext, thank goodness. In 1974, the crypt function was introduced to Unix, which encrypts passwords.

Nowadays, the advice from institutions such as NIST is to salt and hash passwords using a “one-way key derivation function”. The purpose of hashing is to perform a one way transformation of text like password123 to db98b98d746d601572f0ae07e74e7b78. This is done with a relatively slow hashing algorithm such as PBKDF2 or Balloon, and is done many times. The number of times the password is hashed is called the factor. This process makes password hashing an expensive operation taking tens to hundreds of milliseconds.

The algorithm and factor are not typically in your control; it’s the province of whoever owns the system to which you are logging in. There are additional concepts that I’m not going to dive into here, such as a salt and a pepper. You can read more about the math of password hashing here.

When passwords are hashed properly, the next time you enter your password, the same function is applied the same number of times. If the derived hash is exactly the same, you entered the password correctly and should be granted access.

A few hundred milliseconds isn’t really noticeable when you are logging in. On the other hand, if a nefarious person or system is trying to guess your password, the duration of each variation means the attempt becomes slow, and therefore cost prohibitive.

You can additionally make it harder to guess your password by choosing a long, complex password. This increases the number of guesses said nefarious person will have to make. For example, a password of 4 digits has 10^4 (or 10,000) possible values.

In contrast, a 12 character with digits, lower and upper case letters and symbols has 95^12 (or 5.4036009e+23) possible values, approximately 54 quintillion more than the first example. There are 95 printable ASCII characters.

Happy passwording!

More on passwords

Subscribe to The FusionAuth Newsletter

A newsletter for developers covering techniques, technical guides, and the latest product innovations coming from FusionAuth.

Just dev stuff. No junk.