RECOGNIZING YOUR MACHINE: Upon login, many companies ask you if you want their site to remember your machine. If you say yes, this makes logging in easier, as you may not even need to enter your username again. But I'm with my friend Bob Sullivan, an author and consumer advocate, on the wisdom of saying no here, as he suggested in a blog post this week. He figures that anything he can do to force thieves to take an extra step or two might just cause them to give up and move on to an easier mark on their list of stolen credentials.
Some companies, like American Express and Vanguard, tell you to say yes and say that doing so adds to security. I discussed their arguments for doing so with them and didn't find them persuasive, especially the notion that having a site remember me will help keep me from accidentally ending up at a fake site, since I'd supposedly notice and remember that it hadn't asked for my username. However, Capital One notes quite plainly that "Selecting the 'Remember Me' feature on a computer or mobile device may put your personal information at risk," even on a machine that only you or your family members use.
UNIQUE CODES: I'd hoped to be able to ask every company I do business with to simply send me a code by text message each time I successfully entered my username and password. It's a fairly simple arrangement (unless you're abroad, or somewhere else where receiving a text is a challenge), and I already do something similar with Gmail. But not one company was able to do this, though Vanguard intends to start a similar service before the end of the year. American Express has no such plans for its card customers for now. "We understand why some customers would want this, but it's not something we've heard overwhelmingly," said Amelia Woltering, a spokeswoman.
Read MoreWork from home? Watch out for hackers
The best that Charles Schwab could offer was one of those plastic things that hangs on your key chain with numbers that continuously change. TD Ameritrade used to send those out but stopped two years ago. A low percentage of customers requested them, and of those who did, a low percentage actually used them.
The Wells Fargo customer representative I spoke to couldn't help me on this front either, though he took the opportunity to try to cross-sell me on a paid identity theft protection service. Good man! Later, after I logged in for the second time that day, the company's website wished me a happy birthday. It wasn't my birthday, which made me fear for a moment that I'd been hacked.
NOTHING FOOLPROOF: The single best change I was able to make was at Vanguard's site, though it took some back-and-forth by both email and phone with a company spokeswoman to find the feature. Vanguard will allow people to declare certain machines known and then instruct the site not to let any other person (including the account holder) using any other machine get past the initial login page.
I made that change, though it might be trickier to use a feature like that with an online banking site, where most people need more frequent (and occasionally emergency) access.
And there's the danger of leaning too hard on one piece of hardware. "What happens when that computer has an issue and is unavailable to you?" said Steve Adegbite, a Wells Fargo security executive, adding that we've all been in a spot where, say, a Windows upgrade causes our main machine to refuse to boot up at all.