← Back Essay Defense by accumulation A history of credentials at rest 15 min read Sixty-four years of credential security, and why the first hour of every incident is still the same question In the spring of 1966, Allan Scherr was a Ph.D. student at MIT who wanted more time on the Compatible Time-Sharing System than his weekly four-hour allocation permitted. CTSS, built by Fernando Corbató's group, was among the first systems to require per-user authentication. Late one Friday night, Scherr submitted a punched card requesting that the system print the password file offline. He returned Saturday morning, retrieved the printout, and handed copies to friends. J.C.R. Licklider used the credentials to log in as Robert Fano, the lab director, and leave taunting messages. Scherr confessed twenty-five years later. Fano told him his doctorate was safe. It is one of the first credential thefts in the recorded history of computing. The shape of it has not changed. The credential is a file. The file is somewhere accessible. The trust placed in the file is administrative, not architectural. The theft is detected when the attacker chooses to be detected, or, more often, not at all. This is a history of credentials at rest: the files, environment variables, key stores, sockets, and persistent artifacts that hold trust material between authentication events. Credentials in memory during an active session are a parallel story, mostly told by EDR vendors and forensics teams. The two histories overlap at specific moments (Mimikatz is one of them) but they have different shapes and different responses. This piece is about the first one. Sixty-four years after Scherr, an alert fires on a developer laptop. The on-call engineer pages the IR lead. The lead opens the EDR console, confirms the host, and starts the questions that always come next. What credentials does this machine have access to. What does each credential reach. Where else in the environment does that pattern exist. The first hour is not a forensics exercise. It is a credential exercise. The artifact has changed at every layer in the intervening decades. The question has not. This is a short history of how the question got so hard to answer. I. They're all files In 1979, Robert Morris and Ken Thompson published Password Security: A Case History in Communications of the ACM . The paper describes the redesign of the Unix password mechanism: hash with a modified DES function, prepend a 12-bit salt, store the result in /etc/passwd . It includes a survey of 3,289 passwords on the Bell Labs system. Eighty-six percent were trivially weak: short, all-lowercase, or drawn from a dictionary. The paper's conclusion, in 1979, was that user behavior is the binding constraint on password security. That conclusion has not aged. /etc/passwd remained world-readable through the 1980s. The hash was considered uncrackable in practice; various Unix utilities depended on resolving UIDs to usernames. This was the design hole the Morris Worm walked through on the night of November 2, 1988. The worm, released from MIT by Robert Tappan Morris, son of the Password Security co-author, pulled the hashed password file from each infected machine, ran a built-in dictionary of about 432 words through crypt() , and used cracked credentials together with .rhosts trust relationships to hop laterally. It crippled roughly 6,000 of the 60,000 machines on the early internet within twenty-four hours. The technical response was /etc/shadow , which moved the hashes to a root-only file. The cultural response was CERT and the incident-response industry that followed. A father wrote a paper warning that user behavior was the binding constraint. Nine years later, his son's worm exploited exactly that fact, against exactly that file, on a network the elder Morris had helped design. II. In memory Kerberos was developed at MIT's Project Athena beginning in 1986. Steve Miller, Clifford Neuman, Jeff Schiller, and Jerry Saltzer designed it on the premise that passwords should not traverse the network. A user authenticates once to a Key Distribution Center, receives a time-bounded Ticket Granting Ticket, and uses derived service tickets to access individual resources. By January 1987 it was the sole authentication mechanism for Athena's 5,000 users, 650 workstations, and 65 servers. Microsoft adopted Kerberos as the default protocol for Windows 2000. An absolute majority of enterprise authentication events in the world today still run on a protocol designed for an MIT research network in the late 1980s. Active Directory inherited Kerberos and added the architectural choice that defined the next two decades: the domain controller would hold the credential material, including password hashes, ticket-signing keys, and a special account called krbtgt whose hash signs every Kerberos ticket in the domain. The DC became the trust anchor of the enterprise. In 2007, Benjamin Delpy, writing under the handle gentilkiwi, built Mimi...