The password is one of the oldest security devices in human history. In ancient Rome, sentinels demanded a "tessera" — a password engraved on a wooden tablet — to authorise the passage of soldiers at night. The Greek historian Polybius (2nd century BC) describes in his Histories how the "watchword" was distributed each evening by the military tribune, passed from guard to guard throughout the camp. The Bible mentions a similar use in the Book of Judges (12:5-6): the Gileadites identified Ephraimites by asking them to pronounce "Shibboleth" — those who said "Sibboleth" were unmasked. This "linguistic password" became a foundational concept in computer security.
During the Middle Ages, fortified castles and walled cities used passwords to control access to their gates. Medieval guilds, notably the Freemasons, developed elaborate systems of words, signs and handshakes to recognise their members. The "Mason's Word", transmitted orally during initiation, served to prove membership of the brotherhood. During the Hundred Years' War (1337-1453), English and French armies used daily passwords to distinguish allies from enemies during night fighting. The chronicler Jean Froissart reports that confusion over passwords at the Battle of Crécy (1346) caused the death of many soldiers through friendly fire.
The computer era of passwords began in 1961 at MIT, when Fernando Corbató implemented the first password authentication system for the Compatible Time-Sharing System (CTSS). This system allowed multiple users to share an IBM 7094 computer while protecting each user's files. As early as 1962, Allan Scherr, a doctoral student at MIT, carried out the first known "attack": he found the master file containing all passwords in plain text and printed them, thereby gaining extra computing time. This anecdote illustrates the fundamental vulnerability of plain-text storage.
The science of passwords took a major turn in 1976 when Robert Morris Sr., a researcher at Bell Labs, invented password hashing under Unix with the crypt() function, based on the DES algorithm. For the first time, passwords were no longer stored in plain text but as an irreversible "hash". In 1979, Morris added the concept of "salt" — a random value added before hashing to prevent attacks using precomputed tables. Entropy, a concept borrowed from Claude Shannon's information theory (1948), became the standard measure: E = L × log₂(N), where L is the length and N the number of possible characters. A 12-character mixed password reaches approximately 79 bits of entropy, enough to withstand brute force for millennia.
The psychology of passwords reveals fascinating paradoxes. In 2003, Bill Burr of the National Institute of Standards and Technology (NIST) published Appendix A of document SP 800-63, recommending complex passwords with uppercase letters, numbers and special characters. In 2017, in an interview with the Wall Street Journal, he admitted that this recommendation was "largely wrong": users circumvent complexity with predictable substitutions ("P@ssw0rd!") and frequent changes push people towards weak patterns. Psychologist Jeff Yan of the University of Cambridge demonstrated in 2004 that passwords based on mnemonic phrases are both stronger and more memorable than those based on pure complexity.
The contemporary industry is undergoing a profound transformation. NIST revised its guidelines in 2017 (SP 800-63B), favouring length over complexity and abandoning mandatory periodic expiry. Microsoft followed in 2019 by removing password rotation from its security baselines. The RockYou data breach of 2009 — 32 million passwords exposed in plain text — revealed that "123456" topped the charts, followed by "12345" and "password". In 2023, the NordPass report confirms that "123456" remains the world's most used password, cracked in under a second. The Argon2 algorithm, winner of the Password Hashing Competition in 2015, represents the state of the art in hashing. Meanwhile, passkeys based on FIDO2/WebAuthn, promoted by Google, Apple and Microsoft since 2022, may herald the end of the traditional password era.