Blog
News

Passwords, their function, history, rules and replacements

Team Bravas
-
12/12/2023
-
5
min

What is a password?

The password can be seen as a key that opens a door (and especially not several doors!) to the person who owns it. It is important to remember that a password should only be known to one person (and occasionally to a group of people). The password, once the door is opened, will give you access to privileges and information. Therefore, it is essential to keep your password safe and to change it if it has been corrupted.

The History of the Password


In ancient times, passwords were used to identify friends or foes, such as during a battle. Passwords were also used in guilds and secret societies to identify members.

In the nineteenth century, railroads began using train tickets with printed serial numbers to prevent fraud. Passports and other official documents have also begun to include verification information to prevent counterfeiting.

It's important to note that the use of passwords in speakeasies (also known as speakeasies) is primarily a Prohibition-era practice in the United States, which lasted from 1920 to 1933. During this period, the sale, manufacture, and distribution of alcohol was prohibited by law, but many speakeasies continued to operate secretly.

To access these bars, patrons had to know the password, which was usually a passphrase or secret code, often passed on by word of mouth or by people they trusted. Speakeasy owners used passwords to screen patrons and ensure that only regulars and trusted persons were allowed in.

Passwords were also used to warn customers of an impending police raid or to announce special events such as music performances or theme nights. Passwords, therefore, played an important role in the security and discretion of speakeasies during Prohibition.

Nowadays, although the use of passwords in speakeasies is no longer as common, some businesses can still use them to add a touch of mystery and exclusivity to their events. However, this practice is often more a matter of marketing than of any real need for security or discretion.

Passwords, a concept that became massively popular with the development of computers and digital technology in the 1970s. Numbers, letters, special characters that seem to protect access to our electronic devices and accounts

The first digital password was created by Fernando Corbató in the early 60s. A revolutionary security technique that he later found rudimentary and unmanageable. This was followed by slight changes until Bill Blur's report wrote the official rules for password generation for the National Institute of Standards and Technology (NIST) in the United States.

His report, even if you haven't seen it, you certainly applied some of the rules that he advocated:

  • Password renewal every 90 days
  • Use of special characters, numbers, capital letters
  • a length of so many characters

However, these recommendations had not been tested before being communicated and applied massively all over the world, companies, Internet users and even government institutions. He apologized in 2017, 14 years later, and even advised against following these recommendations, which had been built into the software used to crack passwords. A great example of Cargo Cult Programming!

Maybe what seems complicated to a human isn't so complicated to a computer?

So what are NIST's current recommendations?

In June 2017, NIST published new rules around digital identity, authentication and their lifecycle management:

  • A user-created password must be at least 8 characters long and users are allowed to generate a password of up to 64 characters
  • A password created by a computer must be at least 6 characters long (these passwords are usually used only once)
  • all the characters, symbols, spaces and even emojis of the ASCII code (American Standard Code for Information Interchange, American standard, being one of the most used, especially on computers) and UNICODE which is a code that defines a correspondence between symbols and numbers.
  • Stored passwords should be salted (adding characters to your password generated by the cryptographic solution) and then hashed (deterministic but non-reversible mathematical function that transforms your password) but should never be truncated.
  • Suggested passwords should be checked against stolen password databases and rejected if a match is found.
  • Passwords must not expire
  • User-generated passwords cannot have sequences ("1234") or repeated characters ("aaaa")
  • Two-factor authentication (2FA) shouldn't send codes via SMS
  • Secret questions ("what is your mother's maiden name?" should not be used
  • Users must have up to 10 login attempts before their account is blocked
  • No clues should be given
  • No complexity requirements need to be put in place ("mandatory special character")
  • Words related to the login context should not be used (service name, username, etc.)


What are some techniques for cracking a password?

Why would you want to create so many password rules? You may be thinking that you have never shared your password, so there are no risks? Unfortunately, hackers, whether they work alone or in groups, have become more professional, have robots that scan the web and are capable of carrying out large-scale operations.

Here are the most common methods used to steal a password:

  • Brute force: the idea is simple, a software program tests all possible existing combinations until the password is found. This technique, although still used, can be prevented by limiting the number of attempts and very long passwords, which also allow to avoid reverse engineering attacks (Rainbow table) 
  • The dictionary attack: a software program will come to test the most used passwords around the world. Forget "12345", "azerty" and other overly simplistic passwords
  • Phishing: This technique can be very misleading. The attacker will mimic a legitimate site so that you enter your username and password. Pay attention to the details: the URL, spelling mistakes, a suspicious email... and enable two-factor authentication as soon as it's offered.
  • Malware (keyloggers, Trojan horses, etc.): the computer is infected and the hacker has access to everything that is done and typed by the user. This malware can take the form of software, browser extensions, mobile apps, files, so tip number 1, be careful what you download and be even more vigilant if you are using a computer that is not your own.
  • Guessing a password: yes, we've all already filled in answers to our secret question that are common knowledge. Big mistake, these questions must have answers that only you know.
  • See the password: a post-it? A piece of paper in a notebook? An unencrypted note on your computer? Remember, hackers don't have to be people on the other side of the world

There are many solutions, methodologies, and technologies that will help you better secure your access and information. Some reinforce weaknesses and others replace all those authentication and login methods that you may have used since your beginnings on the web.

What if I told you that in the web and the future of the world of work, passwords would have no place?!

If you'd like to know more, contact us!

Share this post
Copy to clipboard icon
Linkedin Icon
Twitter Icon
Facebook Icon

You want more information

Bravas - Arrow icon svg
Contact us
Bravas - Arrow icon svg

More blog posts

Find other blog posts by Bravas

Un catalogue de 450 Apps natives pour macOS
Product and Technology
1
min read

Un catalogue de 450 Apps natives pour macOS

Apps natives macOS
What is Apple Business Manager?
Computer management
5
min read

What is Apple Business Manager?

Explanation about Apple Business Manager
Listen to our CTO on the Mac Admins Podcast
1
min read

Listen to our CTO on the Mac Admins Podcast

a 1 hour Podcast on Bravas
All articles