From day 1, I've been told security is a username and password. This, although true, is not true security. Having a user put in a username and password is only one form of authentication among many. If a true cracker wanted to get your username and/or password, it would be relatively easy.
Now, what can you do to make your security bullet proof? Establish Multi-Factor Authentication.
Multi-Factor Authentication is, like the name presents, authentication based on 2 or more factors. In True Security practices, there are only 3 types of authentication. These 3 types are: What I know, What I am, and What I have. So, in a demostration of how these are put into use, I will give an example:
Say you are a Top-Level Security Administrator for a well-known Bank based in New York. On your floor, you work in the area where all the network housing and servers are located, thus security is tight allowing no intrusions through the building. Your job is to monitor network activity and make sure nothing "phishy" is going on. In order to access your working quarters, you need to go through several steps, or processes. The first process you have to go through is using your key-card to access the floor-level in which your office is. On swiping it, you are allowed to go to your floor. This type of authentication is 'What I have'. As you step out of the elevator on your floor, you then have to scan your key card again to open the main door. Through this door is a small hallway to the next door. This room is monitored by an armed security guard. In this room, you have to scan your key card once again to access a number panel to enter your key code. This key code was given to you electronically and is a 8 digit alphanumeric string. Even though it is a number pad, the keys have numbers as well as alphabet characters on them, much like a phone. This type of authentication is 'What I know'. So, now we have covered 2 types of authentication as we proceed to the next and final room: 'What I have' and 'What I know'. The last room has a retnal scan and biometrics. Here you will put your face into a projection screen that scans your eyes for a signature. Once that is complete, you slide your finger, across a finger scanner get your finger print. Once these are complete, it will search for both scans of positive matches. If it does not find one or the other, it will go into a lock-out mode, in which a security guard will come and assist you. If that fails, you will be escorted out by the police. Security is no laughing matter at the top bank in New York. This last type of authentication is 'What I am'. If you are able to get past all of these types of authentication, then you are allowed into your work quarters. This is True Security.
This example is based on a real life situation is does come into use with some high-security companies such as banks and data-warehouses across the United States.
This type of authentication can also be used in web applications. If you have the resources to deploy such measures, you would have achieved True Security for your platform.
Some misconceptions of Multi-Factor Authentication are common on Online Banking Programs and some more secure websites. These include the use of not only making the user supply a username and password, but making them answer questions as well. But, if you've noted the 3 types of authentication, these are only using 'What I know', which is username & password, and answers to questions you've provided.
Unfortunately, most websites do not have the money, resources, or power to deply a multi-factor authentication system, but they can try to secure their data better by beefing up the mono-factor support. Some great examples of this are using picto-grams, which make users select a couple pictures out of a long set of pictures. Another way is a web key-pad, in use by CoderProfile.com, which allows the user to use the mouse to click in a number-sequence, eliminating key-loggers.
There is one way to achieve Dual-Factor Authentication for websites, in which it was brought to my attention by the Developer of CoderProfile.com. They have deployed a security function which allows the locking of your account. Your account can get locked if your IP Address changes from a authenticated one previously registered to your account. If this happens, the system will send you a PIN Number via E-mail which will allow you to unlock and start using your account. A brilliant idea and fix to the mono-authentication most websites use. This uses Dual-Authentication because it uses E-mail in order to allow you to access your account. E-mail accounts are something 'You have'.
Security has came a long way on the web, but True Security has not been achieved for most websites.