Turning the page on password security as its creator, Fernando Corbato, dies at 93

A list of poorly-constructed passwords on a notepad
(Image credit: Shutterstock)

Built in the 60s, the Compatible Time-Sharing System (CTSS) was the first computer system to use passwords to protect its users' information. Last week, the pioneer behind the invention, Fernando Corbato, died at the age of 93. His feat has been a staple of information security for decades, but as we creep into the 2020s, a host of big players in the tech industry are attempting to consign it to history.

Like many, I have the potential to be rampantly disorganised in both life and admin. Having to remember several dozen passwords doesn't help things. They're fiddly, difficult to track, and far too easy to crack. This was echoed recently by Microsoft's CISO Bret Arsenault, whose firm wants to abandon password security in favour of alternative methods like biometrics.

With individual users demanding their own privacy, Corbato's CTSS demanded that each user creates an account with a personal password. This seemed "like a very straightforward solution", Dr Corbato told Wired in 2012. In today's age, however, password security is flawed, in practice at least.

User accounts guarded by just a password are easy to crack, thanks to attack methods like password spraying, which led malicious actors to breach Citrix's systems in an infamous 6TB hack. Despite the obvious convenience, we should never, ever, ever re-use passwords for different user accounts. Each one must also be head-scratchingly complex (with a combination of lowercase letters, uppercase letters, symbols and numbers) to minimise the risk of brute force breaches.

With dozens of these unique combinations to bear in mind too, it's impossible to stay on top of one's digital footprint without the use of a password manager. Employing one is considered healthy cyber security practice, and it's done wonders for my own organisational capacity. Even then, however, it concentrates any prospective intrusion to just a single point of access.

Innovations like two-factor authentication (2FA) have served as a get-around for what is effectively a thin, obfuscatory sheet separating your personal data from the wolves. But even this added layer of protection is vulnerable to increasingly sophisticated attacks like SMS interception.

This is why companies like Microsoft have been so persistent in calls to shift users away from using passwords. The industry titan has been weaning Windows users off them over several years, abandoning passwords altogether in a 2018 test run for Windows 10S. For Microsoft, biometric authentication represents the future.

Yahoo, meanwhile, changed its login process for Yahoo apps in 2016 after signalling it wanted to kill conventional passwords in favour of "on-demand passwords" a year before. Moreover, a host of sites allow you to sign in to your personal user accounts through your social media profiles which are, in theory, tied with your identity. This is also a road that Apple has gone down, but without allegations of data hoarding the likes of Facebook and Google are more likely to be at the centre of.

All these alternative methods, from biometrics to social profiles, carry their own problems and security risks, however. The latter method, for instance, is dependent on said social media firms adequately safeguarding their users' information. What reassuring news, then, that Facebook was found lately to have been storing millions of user passwords in plain text on its internal servers. Much of the technology powering biometrics, meanwhile, is, for want of a better word, rubbish.

As we tick over into 2020 and beyond, there is, unfortunately, no easy answer to this. Myriad alternatives will likely be tried, tested, and be slapped back onto the drawing board, while the password continues to chug along. Prospective technology like blockchain has also been touted, but we're yet to see this transcend the academic pages of an industry white paper.

Embracing the next stages, whenever that arises, poses social challenges, too. Passwords are universal, and employed by almost every individual with access to a computer or handheld device. Abandoning this practice will require a massive culture shift that will likely span several decades. This isn't to mention logistical considerations, like the infrastructure costs tied with adopting methods like biometric security, given its reliance on sensors.

Corbato's was an important figure, not just in terms of his pioneering achievements for security, but for computing in general. He was honoured for his life's work in 1990 with the Association of Computing Machinery's Turing Award, described by some as the Nobel Prize for computing. His invention of the password has stood the test of time but has proven itself an analogue tool that is struggling to keep up in an increasingly digital age. His contribution won't be forgotten, but it's time we turned the page.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.