SYSTOLA
FROM THE BOOKS
A Quick History of Everything
How passwords entered our lives, what has become of them and how SystoLOCK emerged to battle password-based authentication
Roman Kuznetsov @ 24.12.2024
Follow Roman Kuznetsov on LinkedIn
A Quick History of Passwords
Before password became a computer term, it underwent a huge transformation over the ages. And by ages, we really mean ages, referring to the time long before they were called "passwords".
Password, /ˈpɑːswəːd/, noun, a secret word or phrase that must be used to gain access to a place.
Merriam-Webster dictionary
Passwords are something very human, very abstract entities needed to prove your status or your rights. In that sense, they are as old as human societies.

The very first reference to a password can be found in the Bible. The Book of Judges describes a battle between the Gileadites and the Ephraimites (two ancient tribes from the Jordan). The Gileadites used the word "shibboleth" to identify the Ephraimites as they tried to cross the river. The Ephraimites, because of their dialect, were unable to pronounce the word correctly, thus revealing their identity and leading to their capture. This linguistic test functioned as an early form of authentication, using a unique characteristic associated with regional differences to distinguish allies from enemies.
Ukrainians used a similar technique during the Russian war in 2022 and would ask strangers to pronounce the word “palyanyza” (Паляниця) to quickly spot an enemy by the way they would reply.
Later we read of the Romans who used the so-called watchwords as a form of authentication for their night watchmen stationed at the city gates. These secret words ensured that only those who knew them could be identified as allies in the dark, denying passage to anyone unable to give the correct answer.

Since those ancient times, passwords have always been a tool of the military and intelligence services. Until around 1960, when passwords were introduced into a computer system and became an integral part of computational identity.

The first computer password is attributed to Fernando Corbato, a computer science professor at MIT, who, having built a computer to be shared by many people, used passwords as a means of identifying individual users so that they could be authorized to use the time slots allocated to them. And, of course, the first password breach was carried out on the very same computer when Allan Scherr, a student at the same MIT, dumped all the passwords and used them to gain access to the time slots allocated to others.

To prevent users from doing this, a new technique was later introduced, initially similar to scrambling, and later developed into password hashing, a method still used today to store passwords securely. A more or less official milestone for storing passwords in hashed form is attributed to Unix around 1974.
Passwords became ubiquitous, they were everywhere, they had to be remembered, and this created a new problem for users as passwords were not user-friendly. Users began to "cheat": reusing passwords on different systems or using ridiculously simple passwords, starting with 12345 and culminating in a one-character password such as *.

Something had to be done to protect the security principles behind passwords, so password policies were introduced in the 1980s. These mandated minimum password length, complexity and age. These guidelines remained unrevised for about 40 years, until NIST recently declared that cyclical password changes do not add to security, but actually weaken it, because people tend to write down the now very complex and hard to remember secrets. And as complex and policy-mandated passwords flooded institutions and businesses of all sizes, password managers began to emerge in the 1990s, the first of which was written by none other than Bruce Schneier himself.

The computerised society was not ready for strong passwords, while internet connectivity and increasing computing power paved the way for criminals to steel, crack and brute-force passwords. A new technique was proving very effective against them: two-factor authentication. Two-factor authentication, or 2FA, is a technique where a user provides not one, but two different aspects (factors) of their authentication, where these factors must be very different in nature. Typically, passwords are used as the first factor (called knowledge), while a second factor, often something that proves ownership, can be used to provide additional proof.

Although 2FA was formally developed in the 1980s (with RSA and AT&T as forerunners), it did not take off at scale until the means of providing the second factor became more accessible.

2FA made the world a safer place, but not for very long. In most of these systems, passwords still played a crucial role in authentication, and soon we started seeing news of 2FA being bypassed here and there on an almost daily basis. Something completely new had to come, not just another layer of security to patch a now broken design, but a completely new approach to authentication.

This new approach finally had a name. It was called passwordless multi-factor authentication. It used two or more factors for authentication, none of which was a password. It used advanced cryptography under the hood, but it was very user friendly and finally promised to solve all the problems of previous authentication schemes.

Systems secured by passwordless MFA became almost unbreakable, and so passwords were doomed to disappear in the not-too-distant future.
Timeline: Password Through the Ages
XI B.C.
XI B.C.
Battle of the Jordan River
Shibboleth
Linguistic differences services as a form of authentication in the ancient battle between the Gileadites and the Ephraimites.
I A.D.
I A.D.
The Romans
Watchwords
Passwords to distinguish between enemy and allies in the dark.
1961
1961
Fernando Corbato
First computer password
Fernando Corbato created passwords to distribute computing time among different users of a bigger multi-user computer.
1970s
1970s
Password hashing
5f4dcc3b 5aa765d6 1d8327de b882cf99
Passwords are now stored in a scrambled form that is safe from deciphering even if being accessed by an adversary.
1980s
1980s
Password policies
Length, complexity, age
Mandate the rules password usage and try to prevent users from creating insecure passwords or using them in an insecure way.
1990s
1990s
Password managers
Bringing system into the chaos
Bruce Schneier creates the first password manager under the name Password Safe to store an manage passwords in one place.
2000s
2000s
2FA
An extra layer
Second factor brings additional authentication data to help secure a potentially insecure password.
2020s
2020s
Passwordless
No password => no attack
The ultimate solution to the problem of password (in)security is the removal of the password and its replacement with a better security mechanisms.
A quick history of SystoLOCK
In 2007, as part of its offering as one of the first cloud-based RDP service providers, Systola faced a challenge: customers were connecting to our servers over the Internet and using their password-based credentials to authenticate to the RDP farms.

All known security mechanisms were doomed to be impractical: VPNs, smart cards, etc. Something new, portable and very simple was needed. But there was one thing that bothered us no matter what we used: passwords. We had to distribute, secure and maintain them. And we had to make sure they could not be compromised - an impossible task.

Since we could not get rid of the passwords, we had to at least ensure that they did not leave the premises. And the only way to do that was to provide automatic, under-the-hood password management for the user. This, as we later found out, was what other MFA vendors were doing (and still do to some extent). Thus was born the first generation of SystoLOCK, where an MFA credential, after successful verification, was replaced by a pre-generated password stored elsewhere, and the user was unaware of this.

The solution was robust, but not scalable beyond local logon and RDP with network-level authentication disabled. And that was when Microsoft was pushing everyone to start enforcing NLA on remote desktop connections. We needed to update the protocol.

After a major breakthrough in R&D, a new and completely redesigned SystoLOCK was born. With its core technology rewritten and patented, and an internal version 2, it was now capable of authenticating against any node known to the network.

This time, instead of using a password to authenticate the user, we used a digital certificate. And to make sure that a password attack is impossible, we have removed the actual user password altogether, so that the only way to authenticate is to use the SystoLOCK credentials.
The system was so good that we took it to one of the last CeBITs to exhibit and brag about it.

It was amazing to see the growing interest of the public towards something completely new.
SystoLOCK at CeBIT
An interview during the trade fair
The real hard work was yet to come: with the new authentication scheme, we made the system very secure, but less user-friendly. Users had to type more, typos increased, and user adoption was low. But around the end of 2019 SystoLOCK Companion was introduced: the mobile application that now enables keyless login, phishing-resistant tokens and many other useful features. The app solved all ergonomic problems and made SystoLOCK the most user-friendly MFA system you have ever seen.

Now SystoLOCK is capable of authenticating users with various methods and, due to its universal architecture, new authentication schemes are being introduced constantly, opening doors for the new, secure and ergonomic working.
Timeline: SystoLOCK Through the Years
2007
2007
Initial Idea
Aimed to secure access to RDP via Internet
By using SystoLOCK Generation 1, we were able to deliver services over the Internet without exposing passwords outside the network.
2015
2015
Generation 2 is conceived
The new, scaleble approach
Generation 2 used digital certificates under the hood instead of passwords to securely authenticate users.
2017
2017
Patent
Core technology
The core idea has not changed since then: any "foreign" credential can be turned into a secure, one-time certificate.
2018
2018
CeBIT
Showcase at one of the largest technology fairs of the time
SystoLOCK was unveiled to the public at CeBIT, where we made waves with prospective customers and competitors by demonstrating our resistance to password theft.
2019
2019
Fast Login
Assisted authentication methods
With the new and advanced SystoLOCK Companion authenticator app, users can now use their phone as an extension of themselves, eliminating the need for typing and the dangers of phishing.
2021
2021
Sales start
First paying customers
SystoLOCK is now a mature product with a solid customer base that enjoys secure authentication at a very intrinsic level.
Now
Now
Everything is possible
Plugable authentication model
SystoLOCK is now able to authenticate in multiple scenarios and with multiple authentication means, making its way to becoming a de facto standard in authentication.