3 Billion Passwords Were Leaked in 2024. The First Password Breach Happened in 1962 — at MIT.
MIT's CTSS introduced the first computer password in 1961. Within a year, a PhD student found a way to print every user's password. The arms race has never stopped.
Key Takeaways
- •MIT's CTSS introduced computer passwords in 1961 — the first multi-user login system
- •Allan Scherr printed every CTSS password in 1962 — the first known password breach
- •Robert Morris Sr. invented password hashing in 1976 for Unix
- •Over 3 billion credentials were leaked in data breaches in 2024 alone
- •Passkeys and FIDO2 may finally replace passwords after 60+ years
Root Connection
Allan Scherr's 1962 MIT password theft → 3 billion leaked credentials in 2024
ROOT
Before 1961, computers didn't need passwords because computers didn't share. One machine, one operator, one job at a time. You walked up, fed in your punch cards, waited, and collected your output. There was no concept of "logging in" because there was no one to log in as. The machine didn't know you. It didn't need to.
That changed when Fernando Corbató and his team at MIT built the Compatible Time-Sharing System (CTSS) — one of the first operating systems that allowed multiple users to share a single computer simultaneously. CTSS ran on a modified IBM 7094 mainframe and gave each user their own private file storage, their own terminal session, and the illusion that they had the entire machine to themselves. It was a revolutionary leap in computing architecture, and it created a problem that had never existed before: how do you keep one user from accessing another user's files?
Corbató's solution was simple and, in retrospect, almost naively direct. Each user was assigned a password — a secret string of characters that they would type to prove their identity. The system stored all passwords in a plaintext file on the machine. No encryption. No hashing. No salting. Just a file, sitting on the system, containing every user's secret in readable text. The assumption was that since only authorized users could access the system, and since the password file was protected by the system's access controls, it was safe enough.
It wasn't. In 1962, a PhD student named Allan Scherr was frustrated with his allotted computer time. CTSS gave each user a four-hour daily limit, and Scherr's simulations needed more. He discovered that you could request a printout of any file on the system by submitting a punch card with the right command. The password file was just a file. So Scherr requested a printout of it. The system obliged. He walked away with every password on the machine, printed on paper.
Scherr didn't keep the bounty to himself. He shared the printed passwords with fellow students, who used them to log in under other users' accounts and consume their allotted time. The breach wasn't discovered for some time, and when it was, the response was notably muted. There were no firings, no criminal charges, no congressional hearings. It was treated as a prank — a clever exploit by a resourceful student. Scherr didn't publicly admit to the incident until 2004, in a presentation at an IEEE conference, more than 40 years later.
Corbató himself went on to lead the development of Multics, CTSS's successor, which introduced significant security improvements including encrypted password storage. He received the Turing Award in 1990 for his contributions to operating system design. But he was never under any illusions about what he'd created. In a 2014 interview, Corbató called passwords "kind of a nightmare" and admitted that even he couldn't keep track of all of his. The man who invented the computer password was, like the rest of us, overwhelmed by them.
TODAY
Allan Scherr's printout contained perhaps a few dozen passwords. Sixty-three years later, the scale of credential exposure defies comprehension. In July 2024, a file called RockYou2024 appeared on a popular hacking forum containing nearly 10 billion unique plaintext passwords — the largest credential compilation ever assembled, aggregated from thousands of breaches spanning two decades. It was not a single hack but a monument to cumulative failure, a library of every stolen secret the internet had ever leaked.
Troy Hunt's Have I Been Pwned database, the internet's de facto breach notification service, now tracks over 13 billion compromised accounts across more than 700 breached websites and services. The probability that your email address appears in at least one breach dataset is, statistically, near certain if you've been online for more than a few years. The 2025 Verizon Data Breach Investigations Report found that 81% of hacking-related breaches involved stolen or weak credentials — a figure that has barely moved in a decade.
The attack methodology has industrialized. Credential stuffing — the automated process of trying stolen username-password combinations against thousands of websites simultaneously — runs continuously against every major service on the internet. The logic is simple: people reuse passwords. A breach at a small e-commerce site yields credentials that work at a major bank because the user chose the same password for both. Automated tools test millions of combinations per hour, and the hit rate is consistently between 0.1% and 2% — more than enough to be profitable at scale.
The solutions exist but adoption lags dangerously behind the threat. Password managers — software that generates and stores unique, complex passwords for every account — are used by only about 30% of internet users as of 2025. Multi-factor authentication (MFA), which requires a second verification step beyond the password, is available on most major platforms but enabled by a minority of users. Passkeys, the FIDO2 standard that replaces passwords entirely with cryptographic key pairs stored on your device, have been adopted by Apple, Google, and Microsoft but remain unfamiliar to most consumers.
The irony deepens when security companies themselves become targets. In December 2022, LastPass — one of the world's most popular password managers, trusted by 33 million users to protect their credentials — disclosed that attackers had stolen encrypted customer vault data along with unencrypted metadata. The company that existed to solve the password problem became a case study in the password problem. Corbató's nightmare had come full circle.
Enjoy This Article?
RootByte is 100% independent - no paywalls, no corporate sponsors. Your support helps fund education, therapy for special needs kids, and keeps the research going.
Support RootByte on Ko-fiHow did this make you feel?
Recommended Gear
View all →Disclosure: Some links on this page may be affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in.
YubiKey 5 NFC
Hardware security key for phishing-resistant 2FA. Works with USB-A and NFC. The gold standard in account protection.
Hacking: The Art of Exploitation
The classic hands-on guide to understanding how exploits work. Covers C, assembly, networking, and shellcode.
Faraday Bag for Phones
Signal-blocking bag that prevents tracking, remote wiping, and wireless exploits. Essential for privacy-conscious users.
Keep Reading
Want to dig deeper? Trace any technology back to its origins.
Start Research