The standard answer to the first question has been simple: Weak passwords can be cracked with free software available on the Internet; can often be discovered inside files stored on the network, on people's laptops or on sticky notes left inside desk drawers; and can be solicited through social engineering and phishing e-mails.

These are serious risks that could expose a company to a publicized security breach notification, which often turns out to be a multimillion-dollar affair. But are there other sufficiently effective and cheaper ways to compensate for weak passwords?

My counterparts point to a few possibilities:

Challenge questions. Who says you always need to choose from two of the three categories of what you know, what you have and who you are? Why not choose two authenticators based on what you know? If you can choose the right set of challenge questions -- such as "What high school did you graduate from?" or "What is your favorite pet's name?" -- you can counter some of the weaknesses common to passwords.

Photo "passwords." This is another variant of a second "what you know" authenticator. In this method, you choose a photo -- either of yourself or something memorable from a gallery - that will be associated with your account. Each time you log in, you face a random selection of photos that will always include the one you originally designated, which you must choose correctly.