Want to see how you racked up $9,000 in American Express charges? Log on with your six-digit, alphanumeric password.
Want to order a movie off Netflix or check e-mail? Two more passwords, please.
Checking the gas bill online with Southern California Gas? You'll need a password of 7 to 12 characters, one uppercase, one lowercase, one number and, preferably, one character like an exclamation point or ampersand.
The password was supposed to be our friend, protecting precious data from the bad guys. But it has become a burden for the good guys. The Web-savvy user now has an average of 30 password-protected accounts.
Pleas to reset forgotten passwords account for half of help-desk calls to Web sites, says RSA Security. When Bank of America ran a focus group, nearly all participants said that one security measure they weren't willing to put up with was another password. You can try using the same code everywhere, but that isn't safe, nor is it even feasible, given the varied formats required.
A search for solutions turns up frustratingly few options. Web sites are embracing more layers of security that make use of other identity-bearing clues. By year-end all federal banking agencies will require online banks to ask for two forms of identification to access an account, like a thumbprint or a secret question.
Small outfits Siber Systems, PasswordSafe and Info Keep offer so-called vaults that remember and manage passwords. "We're like your browser bookmarks on steroids. Every time you go to a Web site we automatically sign you in," says William Carey, marketing chief for Siber Systems, which sells a product called Roboform.
But consumers are wary of handing over the keys to their digital identity. Carey says: "Your passwords stay on your PC with Roboform, but people are scared, even though what they're currently doing with their passwords, like keeping them stored in a file on their PC, is really dangerous."
One of the most popular features of Intuit's Quicken financial software is the "PIN vault," which holds users' various passwords so Quicken can fetch financial information from other sites. Last year the vault held passwords for 430
Microsoft is trying to do away with passwords entirely. In its upcoming Vista operating system consumers can create "information cards" that serve as encrypted digital identifiers. Credit card companies will be able to issue these cards to customers. If all parties sign up, the info card would tell Wells Fargo, say, to transfer $19.95 to Amazon.com.
It's a neat idea but one that requires a buy-in from consumers and vendors alike. Seven years ago Microsoft floated a similar-sounding scheme called Passport that granted users access to any site that agreed to use the same password system. The project was a bust, as other companies balked at letting Microsoft peek at their customer data (consumers were iffy on the notion, too).
This time around Microsoft isn't offering to store all the data. "We can make digital transactions much safer than in the real world," says Kim Cameron, Microsoft's identity-and-access architect.
One idea that has taken root is the use of a token the size of a key fob that generates a random six-digit password every 60 seconds. The big player here is RSA Security, which has sold 20 million of them to such customers as Wells Fargo and Credit Suisse. E-Trade has handed the tokens out to its most active customers.
Web sites are layering on more security to fight the common Web scam known as phishing, in which spammers lure people into logging on to a bogus site and steal their user names and passwords. In April RSA (acquired by EMC for $2.1 billion last month) paid $45 million for Passmark, a company that created an image-based security system.
One Passmark client, Bank of America, asks customers to recall a photo they previously selected for access to online statements; then they enter a password. The images are warm and fuzzy shots of puppies and sunsets alongside short-text descriptions that customers must also identify.
Bank of New Zealand customers access online files by using a password, then selecting combinations from unique grids of numbers and letters that resemble the game Battleship. Yahoo's log-on page now displays a user-selected photo to assure people they're not being phished.
Imagic Software in Solvang, Calif. sells software that analyzes a user's typing habits to build a biometric profile. So long as you have both hands on the keyboard, "if you happen to have a crying toddler on your knee or you're groggy, we'll still recognize you," says Imagic Vice President Craig Maszer. So far just a few firms use Imagic for employees.
