The past, present and future of digital passwords
Passwords have been a part of the human story for thousands upon thousands of years. Cryptic and hidden sounds, symbols and hand gestures that granted us access to normally hidden realms and information that was only meant for certain eyes to see. A symbolic gesture that implies that we are who we say we are and that we are allowed access into a system. Even if it only implied it.
The word itself implies its ability to let us “pass” given the “word” or set of words. Variations include “passphrase”, “code”, and “watchword” to name a few.
Very few things have changed since the times of Polybius, the Greek historian born in 200BC, in which he described the role of passwords in a typical guards daily life. In his own words:
“The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword — that is a wooden tablet with the word inscribed on it — takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him.”
It’s interesting to see how this same mechanism has followed us into the technological age, whether inscribed in wood or on a magnetic disk.
The first password
For the sake of the conversation, passwords will be referring to digital passwords and in a computational sense, and not in a real-world den of thieves manner that allowed us access into caves full of loot.
Digital computers are a relatively new phenomenon. So passwords date back only a few decades. The earliest usage of digital passwords to gain entry into a system can be traced back to 1961 being used on MIT’s Compatible Time-Sharing System, one of the first time-sharing operating systems to come about in our age.
The idea behind it was simple. To allow files to be accessed by only certain parties. Again, not a new concept or ideology. But an important one nonetheless if secure data technology were to advance in any real way.
In the words of one of the creators of the system themselves, Fernando Corbato, “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”
Since that time we have implemented password-protection systems into everything from laptops, phones, cars and even your home.
Operating Systems depend upon this handshake in order to protect your digital files. And essentially every website with any form of personal data will begin its workflow by asking you for a cryptic message.
It’s simple, and it works, for the most part. But it is in its simplicity that we begin to see its weaknesses as well.
Single word passwords are only one modality when it comes to authentication. And the more layers of abstraction you can build up, the higher the potentiality for security. One of these alternative methods, is the knowledge-based approach, in which a system will ask you personal questions that theoretically only you should know, in order to validate your identity.
This can include anything from your favorite color, to your hometown, to the name of your first car (if you name your car). These systems do exist currently, mainly used for password retrieval or as secondary secure measures on all but a few rare sites.
Humans are a fickle creature however. We like variety and we change often. Our memories are also a delicate function that ages with time.
“Who was your first elementary school teacher?”
Was it “Ms. Dana?” or perhaps “Mrs. Green”? Was she married? Or single? Or is this memory even correct at all?
A slightly more secure method, but one that is susceptible to the human condition it seems. We can think of this as a trade-off between security and longevity.
This method unfortunately has also seen its share of frailty. Because entry into a system relies on personal data, celebrities are at a huge disadvantage when it comes to this mechanism. A quick online search can pretty much give any would be intruder enough information to make this form of security all but useless.
The limited security of passwords
While the word itself implies some measure of protection and safety, it is only really just an implication. Passwords suffer from one giant flaw. One that is not easy to overcome and that makes the entire concept frail and delicate.
This is true for both the password and knowledge-based approach. And that lies in the limited personal ownership of each password. By that I mean, that passwords can not be guaranteed to belong to a single person.
One person may have decided upon a password and they may believe that they are the sole heirs of it, but that is best only just speculation.
Because passwords are simply just a combination of letters, numbers and certain special characters, they have little to nothing to do with any particular individual. And this makes passwords, essentially just a guessing game to anyone willing to play along.
At least in the past, guards had the benefit of remembering a face along with a password. We have that now in the form of entering an email address or a username into a web form. Again, this implies uniqueness but does not guarantee it. I suppose in the olden days, this could be akin to someone pretending to be someone else by modifying their appearance and way of speech. To a drowsy enough guard who had a drink or two too much, this could potentially grant access to the wrong person.
During the past decade or so, companies have begun to tackle this issue however. For one, because it is expensive. Not just from a technological standpoint, but from a public relations one as well.
We have all heard about the massive data breaches that major corporations suffer through each year and this is not without cost. Stocks take a hit, users shift to new platforms and legal issues arise from this as well. Not to mention the potential cost to the actual users themselves.
This is why a considerable amount of energy gets spent on means of protecting this data through various other ways of encryption and storage.
With strong-enough encryption algorithms, it could potentially take hundreds of years to crack even a single password using a brute-force technique. On a long-enough timeline however, we can see that this is only just a band-aid on an already fragile system.
The term itself conjures up images of retinal scans and implanted circuits that open doors and turn on cars. Those are a part of a biometric world, yes, but only one small part. Biometric identification offers the advantage that you can’t find in the text-based password model. It solves the biggest challenge mentioned above, and that is the challenge of ownership.
Fingerprints are unique to an individual, as are retinal patterns, your blood vasculature system, and you overall facial tone and structure, to name just a few parameters. Everybody gets one and we carry this data with us at all times. This makes them more ideal for unique personal entry into a locked system than a shared vocabulary system with a limited number of characters.
In 2019 a woman from Texas became the first (first public anyhow) person to implant a Tesla Model 3 entry keycard into her body. She received criticism as well as praise from her peers in doing so. Some saw the act as heading towards a dangerous trend, while others applauded her courage in being a pioneer in the field.
The more modern biohacking community offered ideas for improving the design, such as suggesting that Tesla have some form of reprogrammable keycard in the future so that one would have no need to keep reimplanting the chip if and when the individual decides to change cars.
Biometric authentication at this level solves the problems mentioned above in a more concrete way. Getting someone’s car keys can be as simple picking them up from a table when left unattended and then walking around a parking lot for a few minutes. This happens all the time around the country and around the world. When the car key is in somebodies body however, that problem all but goes away.
These days you don’t have to go the implantation route in order to incorporate biometric identification in your life. In fact, more than likely you are already doing it. Most smartphones in use today use a fingerprint reader in order to be unlocked. Not only is it convenient, but it is trendy as well. Phone companies now compete to see who can come up with the most complex way to read your prints, such as through the screen itself.
Certain laptops today can also unlock by analyzing and detecting the users facial patterns and comparing to some trained model that it built when you first purchased it. Again, this helps to solve the challenge of ownership when it comes to the typical use of passwords today.
I myself use Windows Hello to unlock my laptop and have done so for some time now. To the point where it does indeed feel cumbersome when the facial detection fails and the OS has me re-enter my password, which is all but a faint blur these days.
As more hardware manufacturers begin to incorporate facial recognition and fingerprint reading into their devices, I foresee the trend gaining popularity with the biometric approach becoming primary and the text-based password a secondary means of entry.
As with any system, given enough pressure even the toughest diamond will eventually crack. Because biometric identification still relies on algorithms, sensors and on the far end some form of data storage, it is still susceptible to certain forms of intrusion.
Fingerprints for example, while unique, can be found pretty much in every square inch of any location. Including on the phone itself. For anyone willing to try just a little bit harder, getting that spiral pattern from your screen is potentially doable.
In 2016, hackers were also able to fool a facial authentication system using nothing more than digital photos and a clever use of VR technology to create depth in an image.
Again, we seem to find ourselves in a race against our own technological advances.
Before we get too deep into retinal scans and RFID chip implants to buy a bag of chips, we still have a few alternatives that are very buyable and secure and some companies are already using them proactively. Companies like Google and Yahoo for example can unlock your email account through mobile-phone verification means.
You essentially get a message on your phone asking if you are who you say you are, you confirm, and instantly you are in. No passwords required in the exchange. I use this method every so often as well and have found it to be an incredibly smooth process, though still with some trepidation.
This works for the same reason that biometric authentication works. Only one phone can have your phone number at any one time. When you request to log into a system, one single notification gets sent out to your device, which is I would say “unique enough” for a match.
The only concern with this approach is the reliance on an external device, which may be compromised at some point, or which may suffer from its own frailties, such as running out of battery power.
We can’t fully outrun responsibility just yet it seems. Just as you need to follow certain guidelines when selecting your password for a website, you also have to ensure that you protect your mobile devices if we are to use them in that same manner. They are an extension of ourselves in a way.
They house our memories, our voices, and even our visages and they do so with higher fidelity than our own current state of mental capacity.
The future of the password
We all know the unsatisfying feeling of having to create yet another password for yet another website. The red error message letting us know that the complexity isn’t enough to warrant safety. Is it true? To some extent, though this programmer tends to think it is trivial and a moot point. Having an extra “8” in your password probably won’t make you any more secure in the long haul.
Eventually, we just begin to use the same phrase over and over again, decreasing our overall security footprint in an increasingly connected social reality.
We also know the feeling of having forgotten our passwords time and time again. Having to reset the cryptic message over and over to the point where we stop logging in to that system period.
Some could chalk this up to our current habit of outsourcing our memory to our digital devices as mentioned above. Just as we no longer need to memorize phone numbers in order to communicate with our friends and families, we also no longer need to memorize passwords as browsers and password managers do the work for us.
In a very near future, we will wonder how we lived such primitive lives of having to create random words and phrases in order to guard some of our most precious secrets. Our finances, our personal photos and documents, our most sacred moments, all guarded by a minimum of 5 characters, a number and a symbol.
To be truthful, I can’t fully predict just yet what the future of passwords will look like. Perhaps a combination of all of the methods mentioned so far will give life to a seamless mechanism that will blend into the background of our lives. So much so that we will never have to remember another passphrase in the future.
But I don’t think we will ever forget the charm of the old ways. The satisfying feeling of remembering the once forgotten password on an old website. Of seeing a snapshot of a moment from the past. Of gaining access to content that we guard and protect, similar to a child’s reaction upon entering their secretive treehouse.
I don’t believe this is the end of the password however. Because the idea is still a captivating one and a somewhat romantic one. The ease of the words as they flow out carefully and the power behind their intention. No doubt that passwords are still heavily in use around the world in a non-digital form. A greeting between members of certain groups perhaps. Or entry into a nondescript building with a burly gentlemen at guard.
“The bird flies into the hen house.”
To be challenged with:
“Only at dawn.”
As ethereal as time itself.
I openly embrace the future and it’s new unfound methods of security and authentication. As we progress towards a more A.I. centric reality, in which humanity and machine blur lines, I can more fully appreciate and honor the past.