What You Should Know About Passwords

How do you turn this thing on? – Above, an IBM computer similar to those used at MIT in the ’60s. When they were created, passwords were supposed to tell different computer scientists at MIT apart so they could get to their files to work on.

We still rely on passwords, but we ask passwords to do work never imagined back then.

We were sharing a mainframe and we had a common disk file. People weren’t used to sharing in [the 1960s]. It was just an attempt to put in some compartmentalization … to avoid people needlessly nosing around in everybody’s files. –Fernando Corbató¹

When computers went from stand-alone machines to shared systems used by a bunch of people, passwords were introduced at MIT as a measure for scientists to access their data. Users had unique credentials so they could access their files and computational resources while preventing unauthorized access. At the time the passwords were stored right on the computers in plain-text.

That System Wasn’t Going to Work

This MIT computer system was contained within a local network. It was never understood as being especially vulnerable. It was the scientists’ research. Who was going to steal that?

And then along came the internet and the web’s smiling interface bringing the dual promise of connectivity and convenience. Suddenly everyone hopped on board computing so that today it includes business emails, medical and insurance conversations, purchase orders, banking, etc. All these interactions take place in the precarious state that is connected to everyone with internet access. And passwords moved forward, too, becoming the first security measure. But if they were going to give actual security, what had been thought of as a reasonable password would need attention.

Passwords for the Twenty-First Century

Leaving serious criminals and nation-state actors aside (more on that topic next week), what are the risks of using or letting employees use easily guessable passwords on the web?

What could a competitor do with your exposed information?
What added pressures might you be under in negotiations with suppliers if your finances and plans were revealed?
What mayhem could an angry ex-employee get up to with your social media account or website?

If a password is easily guessable — like using a cat’s name or 123456 or any of the common passwords or derivations from them — then are you not asking for trouble?

From Telling People Apart to Security

With passwords’ shift from just identifying people to being a layer of security, it meant rethinking what constituted a decent password. In a paraphrase of what Bruce Schneier said in the year 2000 we’re told to make passwords complex and to remember them, but how can we do that when Spot is easy to remember (and easy for someone else to guess) and 4$gY6d&8 is hard to remember (and therefore hard for someone else to guess)?

So what did people do? Their natural inclination was to add characters or swap numbers for letters, going from Spot to 5P0T. But other people think like that, too, so these kinds of password variations turn out to be easy to guess. And people, when told to use numbers and symbols and make the password of a certain length, ended up using Spot!1 – similarly easy for other people to guess. In order for passwords to really be a security measure they had to be more random.

And to answer the need, people wrote randomizers – like Steve Gibson’s password generator tool at grc.com/passwords.htm. Also Steve Gibson on his haystack password-strength checker shows that, in general, the longer the password, the harder to guess because each character can be really any character. But there is a caveat to length – if you reuse your chihuahua’s name and add different characters around it for different websites (like 1!spot and 123spot) – if the dog’s name is leaked, the other derived passwords are relatively easier for someone else to guess.

And what a generator generates people need a way to remember. So people kept them on a piece of paper in their desk or hopefully in a locked file cabinet or more likely a bunch of sticky notes all over their monitors. Although some people copied the text with the computer’s clipboard function and pasted them into plain-text on their computers. But that means if the machine is compromised this text doc has it all. This can be a problem.

Managing the #45$#r!! Out of This Thing

There is nothing the matter with most of these early solutions at randomizing a password. Storing passwords on the same machine in plain-text is not a secure idea. The sticky notes idea means anyone in the physical vicinity can get at the accounts. The paper in the locked drawer or safe is the best of these storage choices.

In about 2000 Bruce Schneier wrote the first encrypted password manager Password Safe. It offered the convenience of keeping the generated password conveniently in the machine and sometimes worked to auto-fill logins for more convenience. The password manager’s encryption of passwords is similar in security to keeping a paper under lock and key. The more modern equivalents like 1Password, Bitwarden and Lastpass continue to work in about the same way.

How to Lead a Revolution in Password Protection

Whatever way your organization decides to store its passwords, here are some things to bear in mind:

How will your leadership team model password security? The head of an organization sets the tone and expectations for the rest of the group. Work with IT to determine the best password practices that enhance security for your organization.
Teach people good password practices. What password generation and storage method will your organization employ? What length of password will be acceptable? How will you assure randomness?
Are there acceptable ways of sharing passwords? If so, which passwords and what are organizationally-accepted ways?
Will passwords be changed periodically? Who is responsible for changing the passwords? How will the new passwords be implemented?

Back to School

Do you know how it worked out for 1960s MIT to store passwords on the system in plain-text? MIT had a four-hour time-limit on researchers’ access to the computer system. And researcher Allan Scherr found this onerous. So he located the logins document, printed it out and then used the other scientists’ logins so he could keep working beyond the four hours. So the first password hack was almost coincidental with the password’s first implementation.

Given all that’s at stake behind your company’s passwords, it’s advisable to keep this basic line of defense secure – as we’ll explore next week in Why Are Passwords So Dangerous.

Get more New England-based technology and security information. Subscribe to Up Times by Bryley monthly newsletter.

^{1 blogs.wsj.com/digits/2014/05/21/the-man-behind-the-first-computer-password-its-become-a-nightmare}
^{2 wired.com/2012/01/computer-password/}

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.

Per-device features	Basic	Pro*
Response to network-critical issues	Within four hours. Same Day, as the situation requires	Within four hours. Same Day, as the situation requires
Response to non-critical issues	Within eight hours. Same Day, as the situation requires	Within eight hours. Same Day, as the situation requires
Performance optimization	Included	Included
Security optimization	Included	Included
Monitoring and alerts	Included	Included
File and patch updates	Included	Included
Reporting	Included	Included
Administration	Included	Included
Reliability optimization	Partial	Included
Software issues	Partial	Included
Hardware issues	Partial	Included
Network issues	Partial	Included
PC imaging		Included
On-site response		Included

We were sharing a mainframe and we had a common disk file. People weren’t used to sharing in [the 1960s]. It was just an attempt to put in some compartmentalization … to avoid people needlessly nosing around in everybody’s files. –Fernando Corbató1