Privacy Watch: Two Passwords Double Your Privacy
The password, as it exists today, is a dinosaur--a throwback to a time before automated worms existed that could log every keystroke computer users make, and before phishing messages emerged that trick people into sending their passwords to a con artist. But though one password is insufficient, a lot of companies are starting to believe that two passwords may be just the ticket.
Businesses call the arrangement "two-factor authentication," but it boils down to having one password that you make up for yourself and another password that you get from someplace else. This is the computer equivalent of the security provided by a safety deposit box: Your key alone can't open the box, and neither can the bank's key; both parties need to use both keys at the same time.
Here's how one method might work: Your bank includes, with your monthly statement, a card with 50 passwords printed on it. Each password hides behind the same silvery stuff that obscures the numbers on a scratch-off lottery ticket. When you want to log in to your bank account online, you scratch off the silvery stripe covering one password, and then log in to the Web site with your user name, the password you created, and the password on the scratcher card. After you've used the scratched-off password, you can never use it again.
The security benefits here are clear. Even if someone guesses the password you made up for your bank account, they still can't get in unless they hold your card of passwords. If someone finds your password card, they can't get in unless they can also guess the password you invented. Some banks in Sweden already use this method; no U.S. bank uses it yet for consumer accounts.
Businesses have relied on RSA Security's SecurID devices for years. The SecurID Key Fob, about the size of a car-alarm remote, displays a new six-digit code every 60 seconds. Anytime you want to log in to an RSA SecurID-protected computer or site, you must enter your user name, your password, and the RSA SecurID code displayed on the device at the moment you log in. Microsoft recently announced that it will build support for RSA SecurID into every Windows machine.
Using two passwords solves a great many security problems. It won't matter whether a keystroke logger records what you type, because one of your passwords will expire the moment the hacker gets it. Want to use your new puppy's name as a password? No problem. You won't have to invent elaborate--and easy to forget--passwords, and your finances will remain safe.