Cyber StepTracker Blog

Passwords, A Short History

Knowing how passwords are stored helps motivate you to make and keep good passwords.

Passwords, for computers anyways, have a long and mixed-up history.

In the early days, 1970s "timeshare" systems, nobody had a password they just had a login in. Everyone in the office trusted everyone else because the organization was small and people knew each other.

Then came telephone dialup access (think old movies like "Hackers" or "War Games"). Commercial "timeshare" services with paid service came into play and now a password was important.

Then came the hackers. With some effort they managed to snag a copy of the account IDs and passwords. In those days, the computers kept exact copies of the passwords for comparison.

No More Plaintext Passwords

In cryptography terms, "plaintext" is the readable and usable form of a message or text.

When encrypted, the message or password is a jumble of letters. Encrypting passwords seems like a good idea except the hackers can still steal the encryption key along with the encrypted passwords. After all, both have to be present on the hacked computer.

So that idea didn't work. Hackers, if they got in, would know everything.

The replacement was to use a different function called a Hashing function. It mixes the letters of a message in a known but random-like way to produce a single number, called a "hash". This number is meant to guarantee future comparisons of two texts: if the hashes match then the texts can be regarded as matching as well.

Even a slight change of the message text should result in a completely different hash number.

As a result, you don't have to keep copies of the passwords, just copies of the hash.

In the early 1990s this method was adopted with one extra adjustment: a random number was added to the secret password, and the hash performed on the combination. Both the random number and the resulting hash are stored for comparison.

When the computer receives a password, it looks up the hash in the database for that account, together with the stored random number. It computes a comparison hash based on the stored random number plus the user's password entry. If the hash matches, the password is good.

Why use the extra random number? Adding a random value means the same password used by different people results in a different hash value. So therefore password guessing by computing hashes in advance doesn't work anymore.

If a hacker manages to break in and collect account IDs, they don't get passwords they just get hashes. And hashes are much more difficult for the hacker.

So Many People, So Few Passwords

There are 8 billion people in the world, and most have smartphones or other electronics.

About half have accounts that need passwords, and most people have dozens of accounts that need passwords.

Yet, hackers have hacked hundreds if not thousands of online services, and there are only about 0.5 billion password hashes collected by them.

What does the mean?

• the average password is used dozens of times
• the most popular passwords are used millions of times
• basic passwords like 123456 or qwerty or password are used too often
• some estimates suggest 86% of passwords are terrible because they are short, simple or dumb

See Troy Hunt's May 2018 blog for some details.

What can you do?

• change your passwords to pass-phrases (several words but no spaces)
• use a new pass-phrase for every website and service
• use 3 or 4 words and some digits and ^#! marks
• track your new pass-phrases with an app on your phone or PC or both

Trust that even if the websites you have chosen are dumb enough to keep plain-text passwords then your information cannot be reused on any other website because it's different. Hackers attempting old passwords on many websites is called "credential stuffing". That's using an old email + password on a new site to "see if it works."

If all your passwords/passphrases are relatively new and high-quality, then credential stuffing won't work against you.

That is all.