If you’re like most people, you’re annoyed by passwords. You’ve got dozens to remember — some of them tortuously complex — and on any given day, as you read e-mails, send tweets, and order groceries online, you’re bound to forget one, or at least mistype it. You may even be one of those unfortunate people who’ve had a password stolen, thanks to the dodgy security on the machines that store them.

But who’s to blame? Who invented the computer password?

Like the invention of the wheel or the story of the doorknob, the password’s creation is shrouded in the mists of history. Romans used them. Shakespeare kicks off Hamlet with one — “Long live the King” — when Bernardo must prove he’s a loyal soldier of the King of Denmark. But where did the first computer password show up?

It probably arrived at the Massachusetts Institute of Technology in the mid-1960s, when researchers at the university built a massive time-sharing computer called CTSS. The punchline is that even then, passwords didn’t protect users as well as they could have. Technology changes. But, then again, it doesn’t.

Nearly all of the computer historians contacted by Wired in the past few weeks said that the first password must have come from MIT’s Compatible Time-Sharing System. In geek circles, it’s famous. CTSS pioneered many of the building blocks of computing as we know it today: things like e-mail, virtual machines, instant messaging, and file sharing.

Fernando Corbató — the man who shepherded the CTSS project back in the mid-1960s — is a little reluctant to take credit. “Surely there must be some antecedents for this mechanism,” he told us, before questioning whether the CTSS was beaten to the punch by IBM’s $30 million Sabre ticketing system, a contraption built in 1960, back when $30 million could buy you a handful of jetliners. But when we contacted IBM, it wasn’t sure.

According to Corbató, even though the MIT computer hackers were breaking new ground with much of what they did, passwords were pretty much a no-brainer. “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files,” he told Wired. “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

Back in the ’60s, there were other options, according to Fred Schneider, a computer science professor at Cornell University. The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example.

But in the early days of computing, passwords were surely smaller and easier to store than the alternative, Schneider says. A knowledge-based system “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.”

The irony is that the MIT researchers who pioneered the passwords didn’t really care much about security. CTSS may also have been the first system to experience a data breach. One day in 1966, a software bug jumbled up the system’s welcome message and its master password file so that anyone who logged in was presented with the entire list of CTSS passwords. But that’s not the good story.

Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early ’60s, came clean about the earliest documented case of password theft.

In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn’t nearly enough time to run the detailed performance simulations he’d designed for the new computer system. So he simply printed out all of the passwords stored on the system.

“There was a way to request files to be printed offline by submitting a punched card,” he remembered in a pamphlet written last year to commemorate the invention of the CTSS. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.”

To spread the guilt around, Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab’s director Robert Fano, and leaving “taunting messages” behind.

Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”

http://www.wired.com/wiredenterprise/2012/01/computer-password/