The bank customer who chooses the year of her birth as her cash-machine PIN isn’t putting her savings in great jeopardy. The thief who picks up a lost wallet with an A.T.M. card in it would have to guess the PIN correctly in just the first few tries, or the system would shut down the account. Even if successful, the thief would be limited by the ceiling on daily A.T.M. withdrawals. And, in cases of theft, the customer would be made whole by the bank for the loss.

When that short PIN is used as a password on the Web, however, without a second form of verification, it is just about the worst possible choice, almost as bad as choosing “password” as one’s password. “Using an A.T.M. PIN in the context of the online world is unwise,” says Marty Jost, a product marketing manager at Symantec, the computer security company. “Using an easy-to-remember PIN is even more unwise because it’s easy to guess.”

Mr. Jost says Web sites should use multiple layers of security so that “the password is not the only authentication mechanism.”

Users of Gmail and other Google services, for example, can elect to have a two-step verification system to protect their accounts. When the system is activated, the user fills in the boxes for user name and password, as usual, but then is sent to another page where a verification code must be typed in. Users may choose to have this arrive as a text message, or they can obtain it by using an app on their smartphone. There’s a backup method, too, in case their smartphone is lost or stolen.

PayPal and Dropbox also offer their users the option of requiring two-step verification for added peace of mind. Many corporate networks have long used this security model, too.

YES, it’s a bit cumbersome. Jeff Atwood, a software developer, author, and co-founder of the programming question-and-answer site Stack Overflow, acknowledged this when he urged readers of his blog in April to use Gmail’s two-step verification option.