Security Basics — Trivia & Interesting Facts¶

Surprising, historical, and little-known facts about information security fundamentals.

The first computer password was created in 1961 at MIT¶

Fernando Corbato introduced passwords to MIT's Compatible Time-Sharing System (CTSS) in 1961 to give users private access to their files. Within a year, a PhD student named Allan Scherr printed out the entire password file to get more computer time. Corbato later called passwords "a nightmare" and received the Turing Award in 1990.

The average person has over 100 passwords¶

A 2023 NordPass study found that the average internet user has approximately 168 passwords. Despite decades of security awareness training, "123456" and "password" consistently appear in the top 5 most commonly used passwords worldwide, year after year.

Two-factor authentication was invented in 1986¶

The first commercial 2FA token was the SecurID, created by Security Dynamics Technologies (later RSA Security) in 1986. The device displayed a new 6-digit code every 60 seconds. Despite being nearly 40 years old, the fundamental concept — something you know plus something you have — remains the backbone of modern authentication.

The principle of least privilege was formally defined in 1975¶

Jerome Saltzer and Michael Schroeder published "The Protection of Information in Computer Systems" in 1975, formally defining the principle of least privilege along with 7 other design principles for secure systems. Remarkably, all 8 principles (including fail-safe defaults and complete mediation) remain the foundation of modern security architecture 50 years later.

The Data Encryption Standard was intentionally weakened by the NSA¶

When IBM developed the DES algorithm in the 1970s, the NSA insisted on reducing the key size from 128 bits to 56 bits and made classified modifications to the S-boxes (substitution tables). Decades later, it was revealed that the S-box changes actually strengthened DES against differential cryptanalysis (a technique not publicly known at the time), but the reduced key size made DES crackable by the late 1990s.

The entire HTTPS ecosystem depends on about 150 root certificates¶

Every web browser ships with roughly 130-170 root CA certificates. If any one of these CAs is compromised or acts maliciously, it can issue valid certificates for any domain on the internet. The entire trust model is a single-point-of-failure hierarchy, which is why Certificate Transparency was introduced as a compensating control.

Verizon's Data Breach Investigations Report consistently finds that the human element is involved in over 70% of breaches. Phishing alone accounts for approximately 36% of all breaches. Despite billions spent on technical security controls, humans remain the most exploitable vulnerability in any system.

The concept of a computer virus was theorized in 1949¶

John von Neumann described self-reproducing automata in his 1949 lectures, laying the theoretical groundwork for computer viruses. The first actual virus in the wild, Elk Cloner, appeared in 1982 on Apple II computers, spreading via floppy disks and displaying a poem on every 50th boot.

Air-gapped networks have been breached using LED blinking patterns¶

Researchers at Ben-Gurion University demonstrated in 2017 that data could be exfiltrated from air-gapped computers by modulating the hard drive activity LED at speeds imperceptible to humans but readable by a nearby camera. Other demonstrated air-gap bridging techniques include using fan noise, heat emissions, and even the electromagnetic radiation from USB cables.

The global cybersecurity workforce gap exceeded 4 million people in 2024¶

The (ISC)2 Cybersecurity Workforce Study estimated a shortage of over 4 million cybersecurity professionals worldwide as of 2024. Despite average salaries exceeding $120,000 in the US, the industry cannot fill positions fast enough, with an estimated 0% unemployment rate for qualified practitioners.