Turning the page on password security as its creator, Fernando Corbato, dies at 93

This legend of computing was a pioneering great but his analogue invention doesn’t sit well in a digital age

list of poor passwords on notepad

Built in the 60s, the Compatible Time-Sharing System (CTSS) was the first computer system to use passwords to protect its users' information. Last week, the pioneer behind the invention, Fernando Corbato, died at the age of 93. His feat has been a staple of information security for decades, but as we creep into the 2020s, a host of big players in the tech industry are attempting to consign it to history.

Advertisement - Article continues below

Like many, I have the potential to be rampantly disorganised in both life and admin. Having to remember several dozen passwords doesn't help things. They're fiddly, difficult to track, and far too easy to crack. This was echoed recently by Microsoft's CISO Bret Arsenault, whose firm wants to abandon password security in favour of alternative methods like biometrics.

With individual users demanding their own privacy, Corbato's CTSS demanded that each user creates an account with a personal password. This seemed "like a very straightforward solution", Dr Corbato told Wired in 2012. In today's age, however, password security is flawed, in practice at least.

User accounts guarded by just a password are easy to crack, thanks to attack methods like password spraying, which led malicious actors to breach Citrix's systems in an infamous 6TB hack. Despite the obvious convenience, we should never, ever, ever re-use passwords for different user accounts. Each one must also be head-scratchingly complex (with a combination of lowercase letters, uppercase letters, symbols and numbers) to minimise the risk of brute force breaches.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

With dozens of these unique combinations to bear in mind too, it's impossible to stay on top of one's digital footprint without the use of a password manager. Employing one is considered healthy cyber security practice, and it's done wonders for my own organisational capacity. Even then, however, it concentrates any prospective intrusion to just a single point of access.

Innovations like two-factor authentication (2FA) have served as a get-around for what is effectively a thin, obfuscatory sheet separating your personal data from the wolves. But even this added layer of protection is vulnerable to increasingly sophisticated attacks like SMS interception.

This is why companies like Microsoft have been so persistent in calls to shift users away from using passwords. The industry titan has been weaning Windows users off them over several years, abandoning passwords altogether in a 2018 test run for Windows 10S. For Microsoft, biometric authentication represents the future.

Advertisement - Article continues below

Yahoo, meanwhile, changed its login process for Yahoo apps in 2016 after signalling it wanted to kill conventional passwords in favour of "on-demand passwords" a year before. Moreover, a host of sites allow you to sign in to your personal user accounts through your social media profiles which are, in theory, tied with your identity. This is also a road that Apple has gone down, but without allegations of data hoarding the likes of Facebook and Google are more likely to be at the centre of.

All these alternative methods, from biometrics to social profiles, carry their own problems and security risks, however. The latter method, for instance, is dependent on said social media firms adequately safeguarding their users' information. What reassuring news, then, that Facebook was found lately to have been storing millions of user passwords in plain text on its internal servers. Much of the technology powering biometrics, meanwhile, is, for want of a better word, rubbish.

Advertisement - Article continues below

As we tick over into 2020 and beyond, there is, unfortunately, no easy answer to this. Myriad alternatives will likely be tried, tested, and be slapped back onto the drawing board, while the password continues to chug along. Prospective technology like blockchain has also been touted, but we're yet to see this transcend the academic pages of an industry white paper.

Embracing the next stages, whenever that arises, poses social challenges, too. Passwords are universal, and employed by almost every individual with access to a computer or handheld device. Abandoning this practice will require a massive culture shift that will likely span several decades. This isn't to mention logistical considerations, like the infrastructure costs tied with adopting methods like biometric security, given its reliance on sensors.

Corbato's was an important figure, not just in terms of his pioneering achievements for security, but for computing in general. He was honoured for his life's work in 1990 with the Association of Computing Machinery's Turing Award, described by some as the Nobel Prize for computing. His invention of the password has stood the test of time but has proven itself an analogue tool that is struggling to keep up in an increasingly digital age. His contribution won't be forgotten, but it's time we turned the page.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020