The Cultural History of Passwords - 3,000 Years of Authentication from Ancient Watchwords to Biometrics

About 12 min read

Passwords are not a modern invention. The practice of using secret words to verify identity stretches back over 3,000 years, from Roman military watchwords to medieval castle gates, and from the world's first computer password at MIT in 1961 to today's passkeys and biometric authentication. Understanding this history reveals a recurring pattern: every authentication method eventually gets compromised, driving the invention of the next. This article traces the cultural and technological evolution of authentication across three millennia - and examines whether we are finally approaching a passwordless future.

Ancient Authentication - Military Passwords and Watchwords

The Roman tessera and Night Watch

The earliest recorded authentication system appears in the writings of Polybius, a 2nd-century BC Greek historian. In Book 6 of his "Histories," Polybius described in detail the operation of watchwords (tessera) in Roman night patrols. As also discussed in our article on the origin and history of passwords, each evening, the tribune inscribed a watchword on a wooden tablet (tessera) and distributed it through centurions to all units. During night patrols, sentries demanded the watchword at each post, and anyone who could not answer correctly was treated as an enemy.

This system had important features that resonate with modern password management. First, the watchword was changed every night - a prototype of modern password rotation. Second, the watchword was distributed via a physical token (wooden tablet), combining "something you know" with "something you have" - a primitive form of multi-factor authentication. Third, the distribution chain was strictly controlled. The one-way transmission from centurion to soldier anticipated the modern key distribution problem.

Medieval European Castle Gates and Secret Societies

From "Open Sesame" to Freemasonry

"Open Sesame" from "One Thousand and One Nights" is perhaps the world's most famous password. This story of Ali Baba using a watchword to open the thieves' cave originates from Arabic manuscripts around the 8th century. What is fascinating is that the story illustrates the fundamental vulnerability of passwords. Ali Baba's brother Cassim forgot the watchword, became trapped in the cave, and lost his life. A story from over 1,000 years ago already demonstrated the danger of authentication that relies solely on "something you know."

In medieval Europe, castle gate watchwords were central to military and political security. Passing through castle gates at night required giving the correct watchword to the gatekeeper. But watchwords alone were sometimes insufficient, and guilds and secret societies developed more complex authentication. Freemasons used layered authentication combining secret words with specific handshakes, body postures, and formulaic question-and-answer patterns. This was a medieval version of multi-factor authentication, combining "something you know" (the watchword) with "something you can do" (the correct handshake).

The Dawn of Computing - The World's First Computer Password

1961: MIT CTSS and Fernando Corbató

The world's first computer password was introduced in 1961 on MIT's Compatible Time-Sharing System (CTSS). Developer Fernando Corbató devised passwords as a means to protect each user's files in an environment where multiple users shared a single computer. Computers at the time were massive machines costing millions of dollars, shared among researchers in time slots. Passwords allocated 4-hour usage blocks to each user and prevented access to others' files.

However, the world's first password system experienced its first security incident just one year after introduction. In 1962, a CTSS software bug caused the password file contents to be displayed as a welcome message to all users. This is the first recorded password breach. Additionally, researcher Allan Scherr submitted a request to print the password file, obtained other users' passwords, and used them to increase his own computing time. The history of passwords was, almost from birth, also a history of being broken.

Password storage methods also evolved. Early systems stored passwords in plaintext, but in 1976, Robert Morris and Ken Thompson developed the crypt() function for UNIX, introducing hash-based password storage. crypt() was a one-way function based on DES encryption that generated a fixed-length string from a password, but the original password could not be recovered from that string. This concept of "irreversible transformation" became the foundation of modern password storage. UNIX's /etc/passwd file became the first standard mechanism for storing hashed passwords.

The Era of Massive Password Breaches

From RockYou to Collection #1

The 2009 RockYou incident was a turning point for password security. Social app company RockYou was hacked, and 32 million passwords were leaked in plaintext - not even hashed. Analysis of the leaked data revealed that the most commonly used password was "123456," exposing how vulnerable user password choices were. The top 10 passwords alone accounted for 4.7% of all passwords.

In 2012, LinkedIn was attacked and 117 million passwords were leaked. LinkedIn had hashed passwords with SHA-1 but without salt (random additional data), allowing rainbow table attacks to crack massive numbers of passwords quickly. This incident demonstrated to the industry that simple hashing alone was insufficient, and that salt and iterative processing (bcrypt, Argon2, etc.) were essential.

Collection #1, discovered in 2019, was the largest password breach database in history. This dataset, found by security researcher Troy Hunt, contained 773 million email addresses and 21 million unique passwords. Collection #1 was not a single incident but aggregated data from multiple breaches over several years. This discovery confronted the world with the reality that once-leaked passwords circulate permanently on the dark web. These incidents are also covered in detail in our article on famous password breaches in history. Through these incidents, it became widely recognized that password reuse is fatal and that password managers are essential.

The Future of Passkeys and Biometric Authentication

Will a Passwordless World Become Reality?

Passkeys based on the FIDO2/WebAuthn standard developed by the FIDO Alliance are rapidly spreading as an alternative to passwords. As covered in detail in our article on passkeys and passwordless authentication, passkeys use public-key cryptography: the private key is stored on the user's device, and only the public key is stored on the server. This means even if the server is compromised, the private key does not leak. In 2023, Apple, Google, and Microsoft all committed to full passkey support, and by the end of 2024, over 95% of major browsers supported WebAuthn. According to the FIDO Alliance's 2024 report, companies that adopted passkeys saw a 99.9% reduction in phishing incidents.

However, challenges remain before a passwordless world becomes reality. Biometric authentication is convenient, but fingerprints and irises have a fundamental problem: once leaked, they cannot be changed. When the US Office of Personnel Management (OPM) was hacked in 2015, fingerprint data of 5.6 million people was stolen. Passwords can be changed, but fingerprints cannot be changed for life. Additionally, passkeys are tied to devices, making recovery from device loss or failure a challenge. Ultimately, the most robust authentication combines three factors: "something you know" (password), "something you have" (device), and "something you are" (biometrics) through multi-factor authentication. What 3,000 years of history teaches us is the danger of relying on any single authentication method.

Take Action Now

1. Set up passkeys now on services that support them (Google, Apple, Microsoft, GitHub, etc.)
2. For services without passkey support, use strong passwords generated by Passtsuku.com combined with a password manager
3. Enable multi-factor authentication on all important accounts, building a two-layer defense of "something you know" and "something you have"
4. Check if your email address has been included in past breaches at Have I Been Pwned (haveibeenpwned.com)

For those interested in the deeper history of cryptography and authentication, books on the history of passwords and security (Amazon) offer fascinating insights into how humanity has grappled with the challenge of proving identity for millennia.

Frequently Asked Questions

When and where was the world's first computer password created?

It was introduced in 1961 on MIT's Compatible Time-Sharing System (CTSS) by Fernando Corbató. It was devised to protect each user's files in an environment where multiple users shared a single computer. The following year, 1962, saw the first password breach due to a software bug.

Will passkeys make passwords completely unnecessary?

Complete replacement is difficult at this point. Many services still do not support passkeys, and password or recovery codes are needed for device loss recovery. For now, the practical approach is to use passkeys where supported and manage strong passwords with a password manager for unsupported services.

Is biometric authentication safe? What happens if fingerprints are leaked?

While biometric authentication is highly convenient, it carries the fundamental risk of being unchangeable once leaked. The 2015 US OPM hack resulted in 5.6 million fingerprint records being stolen. Biometrics should not be used alone but as one factor in multi-factor authentication combined with passwords or device authentication.