Passwords are a ubiquitous way to provide a minimal level of authentication to a computer user seeking to access a network computer such as a Web site. For instance, online banking requires a user to log in to a Web server of a financial institution using a user name and password that have been previously given to the user by the server. In this way, only a user (hopefully, the true account owner) who possesses both the user name and password can gain access to the user's account.
As another example, some Web servers provide subscription services. For instance, users can subscribe to a Web site to receive news publications, music titles, etc. To ensure that only users who have paid the subscription fee can access the content, a user seeking access is required to log in using a user name and password.
In either case, it is possible that a password can be stolen and information intended only for the rightful owner of the password consequently fall into the hands of a password thief. Some estimates for the year 2003 indicate that as many as two million Americans have had their online bank accounts raided, at an average loss of $1200 for a total loss in excess of $2 billion. A common way for thieves to gain access is to send official-looking emails to bank customers, requesting user names and passwords which, if the illegitimate requests are complied with, are then used to log in to online accounts and drain them of money. This tactic of user deception is commonly referred to as “phishing” and it is not the only possible way to spoof innocent users from divulging sensitive information to thieves.