Password management remains an oddly thorny challenge, with businesses commonly foiled by poor user practices and other frailties of human nature. Why is the computer password such a perennial trial? It turns out, Wired's Robert McMillan reports, that those who invented it weren't really all that concerned about security.

It can't be said with 100 percent certainty, but the first computer password may have originated at the Massachusetts Institute of Technology in the mid-1960s, McMillan writes. Researchers working on MIT's Compatible Time-Sharing System decided to create a password for each person who worked on a set of terminals so that they could maintain their own private files, according to Fernando Corbató, who headed the CTSS project. (Corbató thought that maybe the idea of the password started at IBM (NYSE: IBM), but IBM couldn't say one way or the other.)

The CTSS researchers could have opted instead for knowledge-based authentication, but that would have required more stored data, and they preferred not to allocate computing resources to that, said Fred Schneider, a computer science professor at Cornell University.

Plus, those researchers "didn't really care much about security," McMillan writes. When a programming bug mixed up the CTSS master password file and welcome message in 1966, the whole list of passwords was revealed to anybody logging on.

The password protection system was vulnerable in simpler ways as well, as one young researcher, Allan Scherr, demonstrated in 1962. Scherr needed more time on the system than his allotted hours gave him, so late one evening he found a way to get a complete list of the passwords and co-opt other researchers' time.

"There was a way to request files to be printed offline by submitting a punched card," Scherr recalled. "Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing."

Then, because there is safety in numbers, Scherr shared the passwords with other users. But it took him 25 years before he fessed up to his supervisor at MIT.

For more:
- see Robert McMillan's article at Wired

Related Articles:
Diceware solves the password conundrum
Amazingly true (and dumb) password practices
Survey: IT pros guilty of password shortcuts
Not-so-conventional wisdom on password management