World Password Day: The History of Passwords

It’s time for change! This year, instead of celebrating World Password Day as usual, LastPass is calling out World Password(less) Day to embrace our passwordless future. As we prepare to leave passwords behind, it's worth reflecting on the rich history of passwords.  Here's a brief chronicle of how computer passwords first came to be, how we began using them to keep our digital lives secure, and how they protect us from cyber threats today.

The 1960s

Right around the same time NASA astronauts were preparing to go to the moon for the first time as part of the Apollo program, Fernando Corbató was creating the first password-protected user accounts at the Massachusetts Institute of Technology (MIT). When users logged into his Compatible Time-Sharing System (CTSS) with their respective usernames and passwords, they were able to manage their own individual sets of files on consoles that were linked to the university's mainframe computer. Although this early user-based authentication mechanism had security flaws, it directly influenced how computer geeks and regular people alike would think about passwords for decades to come.

The 1970s

Password security got an upgrade in 1972, when cryptographer Robert Morris came up with an encryption process known as hashing, in which passwords are translated into numbers. Later in the decade, Morris teamed up with his colleague Ken Thompson to create a complementary technique known as salting, in which random strings are added to a stored password so that it will be even harder to crack. Both hashing and salting are still widely used today. In fact, LastPass taps both of these best practices to secure every LastPass user's master password.

1990s-2000s

As the early internet became more prominent in everyday life, it became necessary to come up with more secure authentication protocols. AT&T claims to have invented two-factor authentication (2FA) in 1995, and the company received a patent for this technology in 1998. Once a niche solution, 2FA is widespread today. Chances are, you're already using it to log in to one or more of your online accounts.  When you take advantage of 2FA, the authentication system asks you to provide an additional form (or factor) of authentication such as a temporary, one-time code to prove that you are who you say you are. You may receive this additional factor via SMS, email, or an authenticator app. After you've received the code, you enter it in the 2FA prompt and then, provided everything checks out, you are granted access to your account.  2FA and its successor multi-factor authentication (MFA) became more prominent throughout the 2000s, when companies began rolling out Bring Your Own Device (BYOD) polices that allowed employees to use their personal smartphones for work. 

2010s

Fast-forward to the 2010s, as mobile apps were taking off, and it became even more crucial to strengthen password security. Two-factor authentication (2FA) evolved into MFA, in which users attempting to log into an online account are asked to provide multiple forms of authentication in addition to their usernames and passwords. Security professionals refer to these multiple factors as:

• Something you know (i.e., your password)
• Something you have (i.e., your phone, an MFA token, or a smart card)

• Something you are (i.e., biometric information like your fingerprint, your face, or your voice)

As data breaches increasingly made headline news, best practices like 2FA and MFA became more commonplace. Unlike login credentials, which could be breached and traded openly on the dark web without a user's knowledge, attackers could not obtain 2FA and MFA tokens quite as easily.  MFA is still an especially important form of protection today – especially if you re-use the same password for multiple online accounts (something that, according to the 2022 Psychology of Passwords Report, 62% of people are still doing). If an attacker attempts to log in as you but MFA is enabled on the account, you can get an early warning that something fishy is up, alert your colleagues in IT, and take action to protect both the business and yourself.

2020s

In the 2020s, breaches became more commonplace, cyber criminals became more brazen, and the average person began to better understand the risks involved in putting password security on the back burner. When many employees began working from home during the early stages of the pandemic, their digital lives expanded – and bad actors seized the opportunity to wreak havoc on an even larger scale.  In earlier decades, an eight-character password using a mix of uppercase and lowercase letters, numbers, and symbols was considered sufficient to protect an online account. Once we reached the 2020s, that was no longer enough. So, to protect themselves, employees began using longer and more complex passwords (or, in many cases, their IT departments mandated it). These passwords ran about 12 - 18 characters in length and were considered harder to crack. Even people who wanted to adopt best practices in password security ran into a problem, however. Because they had so many online accounts and so many passwords to keep track of, the task became that much harder when the passwords were so hard to remember. So, many cybersecurity-savvy users and businesses alike began taking advantage of password managers to securely store their passwords. 

Prepare for the passwordless future

Passwords have been with us at every step in the digital age, steadily adapting to accommodate even more advanced cybersecurity requirements along the way. Although it may be hard to imagine a day when we won't be using passwords anymore, it's quickly approaching. Gartner predicts that more than 50% of the workforce will be passwordless by 2025.  As we mark Word Password(less) Day, now is the perfect time to prepare for the passwordless future. Try passwordless for free using the LastPass authenticator app.  If you want to learn more about how you can achieve stronger security through passwordless, join us for a webinar on May 4. Register your spot now.