The Origin of Passwords - From Ancient Roman Watchwords to Biometric Authentication

About 13 min read

Passwords are not a modern invention. From Roman soldiers whispering watchwords in the dark to MIT researchers creating the first computer login system, the concept of "proving who you are with a secret" spans over 3,000 years. This article traces the surprisingly entertaining history of passwords, from ancient battlefields to the passkey revolution that may finally make them obsolete.

Passwords Are Disappearing After 3,000 Years

The history of passwords, which began with Roman watchwords, exploded with the advent of computers and is now approaching its end through passkeys and biometric authentication. Yet one thing has remained constant for 3,000 years: the need to prove you are who you claim to be. The method has evolved from spoken words to hashed passwords to biometrics, but the concept of authentication itself has walked alongside human civilization.

Roman Military Watchwords - The Origin of Passwords

Password history dates back to the Roman military before the Common Era. According to the historian Polybius, Roman soldiers used "watchwords" to distinguish friend from foe during night watches. The watchword was written on a wooden tablet and distributed to each unit before sunset. Anyone approaching the camp at night was challenged for the watchword - failure to answer correctly meant being treated as an enemy.

Interestingly, this system already faced the same challenges as modern security. What if the watchword leaked to the enemy? The Romans addressed this by changing the watchword daily - an early form of today's "regular password rotation" policy. However, modern security research suggests that strong passwords matter more than frequent changes.

"Open Sesame" - The Oldest Password in Literature

"Open Sesame" from "Ali Baba and the Forty Thieves" is perhaps the most famous password in literature. Thieves use it to open a cave door, and Ali Baba overhears it to claim the treasure. This story appears in "One Thousand and One Nights" from around the 8th century, showing that the password concept has been a storytelling motif for at least 1,200 years.

From a security perspective, the "Open Sesame" story brilliantly illustrates the fundamental weakness of passwords. Since authentication passes simply by "knowing" the password, eavesdropping is game over. This is exactly the same dynamic as modern keyloggers and phishing attacks stealing passwords.

Prohibition-Era Speakeasies - Password Culture

During America's Prohibition era in the 1920s, illegal bars called "speakeasies" required a password to enter. You had to tell the correct password to a bouncer peering through a small window in the door. Passwords were changed frequently and shared only by word of mouth among regulars.

In modern security terms, this was authentication via "shared secret." Only those who knew the password could access the bar, but the weakness of spreading by word of mouth - high leakage risk - is the same as today. Incidentally, the name "speakeasy" itself comes from "speak easy," a reminder to say the password quietly.

1961 MIT CTSS - The World's First Computer Password

The history of computer passwords begins in 1961 with MIT's Compatible Time-Sharing System (CTSS). CTSS allowed multiple users to share one computer, and passwords were introduced to prevent users from seeing each other's files. Developer Fernando Corbató later reflected that "passwords were a primitive solution."

Remarkably, the world's first password breach occurred the very next year, in 1962. A researcher discovered a command that printed the password file, exposing all users' passwords in plain text. Just one year after passwords were invented, the first security incident occurred. This event was the world's first demonstration of the danger of storing passwords in plain text.

1970s Unix crypt() - The Birth of Password Hashing

The CTSS incident made it clear that storing passwords in plain text was dangerous. In the 1970s, Unix developer Robert Morris Sr. introduced the crypt() function, which hashed passwords before storing them. Instead of saving the password itself, the system saved a mathematical transformation of it. When a user logged in, the entered password was hashed and compared against the stored hash. Even if an attacker obtained the password file, they could not directly read the passwords. Morris also introduced the concept of salt - adding random data to each password before hashing to prevent identical passwords from producing identical hashes. These two innovations - hashing and salting - remain the foundation of password security today. For more on how modern systems protect passwords, see encryption basics.

2000s - The Rise of Multi-Factor Authentication

As the internet spread, password breaches surged, and the realization that "passwords alone are not enough" took hold. In the 2000s, multi-factor authentication (MFA) began to spread. By combining passwords (knowledge factor) with SMS codes (possession factor) or fingerprints (biometric factor), security was significantly strengthened.

Google introduced two-step verification in 2011, and Apple brought Touch ID to the iPhone in 2013, making multi-factor authentication accessible to everyday users. For details, see the two-factor authentication guide.

2020s Passkey Revolution - A Future Without Passwords

The 2020s are witnessing the most dramatic shift in authentication history: the passkey. Developed by the FIDO Alliance with support from Apple, Google, and Microsoft, passkeys use public-key cryptography to eliminate passwords entirely. Instead of typing a password, you authenticate with your device's biometrics (fingerprint or face recognition), and a cryptographic key pair handles the rest. Passkeys cannot be phished, cannot be reused across sites, and cannot be leaked in a database breach. For a deeper look at this transition, see the passkey guide and biometric authentication risks.

For those who want to explore authentication history further, books on cryptography history (Amazon)can be a great resource.

Frequently Asked Questions

When was the first computer password created?

In 1961, at MIT's Compatible Time-Sharing System (CTSS). It was created to protect each user's files when multiple users shared one computer. The world's first password breach occurred the very next year, in 1962.

What are passkeys and how do they differ from passwords?

Passkeys are a next-generation authentication method developed by the FIDO Alliance using public-key cryptography. Unlike passwords, you do not need to remember or type anything - you authenticate with your device's biometrics (fingerprint or face). They are resistant to phishing, eliminate reuse problems, and cannot be leaked in database breaches.

What is password hashing?

Hashing transforms a password through a mathematical function into an irreversible string (hash value). It was first practically implemented in the 1970s with Unix's crypt() function. Servers store hash values instead of passwords themselves, so even if a database is breached, passwords cannot be directly read.