What has not changed, however, is the prime method for authenticating the users of these devices and securing their secrets: the password.

Whether the name of a favorite child or pet, a combination of initials and birth dates, or a clever mix of letters, numerals, spaces and shift-keyed symbols, passwords - at least using them alone - are passé. And with authentication techniques changing, experts say relief also is on the way for computer users stressed by trying to remember dozens of log-on combinations.

In the past year, computer-makers have crowned biometrics, particularly on-board sensors that read fingerprints, as the preferred choice for authenticating users. Microsoft, IBM, Hewlett-Packard and Toshiba are all pushing fingerprint-reading notebooks and a new line of sensor-equipped keyboards.

Other gadget-makers also provide finger-scanning add-ons, while researchers reportedly are advancing commercial versions of retinal and facial recognition software and devices, smartcards and plug-in security keys.

"Passwords can be effective, if you can remember them all," laments Vincent Weafer, senior director of Symantec Security Response Team. "People are so overwhelmed with the number of passwords needed [that] they write them on notes stuck to their [PC] monitors, or have the same passwords for everything."

Symantec, a leading computer security software and consulting company best known for Norton antivirus suites, estimates 90 percent of people never bother to craft passwords of their own.

"That leaves the default passwords they come with, and hackers know all the main default passwords," Weafer says. "That's like not locking the doors until someone breaks in."

What makes a good password? Unpredictability, mixed with unique meaning to the user. Weafer suggests using a phrase such as "I was born in Los Angeles 20 years ago." Easy to remember, hard to guess and at 30 characters, harder to hack.

Still, no password is safe. Hackers have an effective arsenal. "Brute force" attacks try all possible combinations . Dictionary-based routines compare up 100,000 words in a few seconds. "Syllable" checkers pick up on bogus word forms. "Rule-based" attacks sniff out repetitive passwords.

The question, says Pete Ashdown, president of Salt Lake City Internet service provider Xmission, is not whether a password can be cracked, but how to make it so time consuming hackers won't want to try.

"My frequently used passwords are nonsense I couldn't recite easily if I tried," he says. "However, my fingers remember them."

Jay Christofferson, an associate professor at Brigham Young University's School of Technology, uses one of several commercially available programs that lock away and automatically trigger passwords as needed.

Of course, that program requires - you guessed it - a password. And given what it protects, that password better be a dandy.

"To me, it's more and more a nuisance, almost trying to keep honest people honest," Christofferson says. He gives a lukewarm endorsement to fingerprint and retinal scanners.

Ashdown favors a combination of better-crafted passwords and biometrics. "We use thumb scanners here at Xmission. We combine them with a PIN [personal identification number] for extra security," he says.

Jay Lepreau, a University of Utah research professor of computer science, isn't as ready to abandon passwords for high-tech gadgetry. His solution: "Store them on a piece of paper. Seriously. How often is your wallet stolen, where perhaps you store your passwords, or a locked desk drawer broken into?

"Passwords are not obsolete," Lepreau insists. "[But] traditional ways of managing them, all in your head, don't work anymore."

bmims@sltrib.com

Security codes of the future

Biometrics. Technology including fingerprint, retinal and facial image scanning. Notebook computers recently began featuring a fingerprint sensor in place of passwords for user authentication.

Smartcards. Credit card-sized plastic imbedded with microchips bearing information readable only by special card readers.

USB hardware tokens. Stores users' private encryption keys, passwords, user names, digital signatures, etc.

Digital certificates. A little-used technology involving software bearing encrypted "private keys" needed to access a file, a PC or a network. The certificates operate automatically in background.