Choosing the level of security for a software system is a delicate balance.
Most people want their software to be secure, whether it's a website, an internet banking smartphone app, or the program that controls their car's central locking system. However, making something too secure can also make it difficult to use. Think of home security - you could build yourself a moat and drawbridge to keep burglars out. Your house would probably be more secure, but popping out for the morning paper would become a bit of a chore!
Here are a few options to consider when planning your next website:
1) Password based authentication over SSL
This is the kind of security you most likely use for checking your email, accessing Facebook, etc. It is easy to implement, and provides security from most common attacks. However, it doesn't protect from things like key-loggers (malicious applications that sit quietly on your computer stealing passwords as you type). The central database is also vulnerable - even though the server will usually be stored in a secure facility, there would be nothing stopping a disgruntled employee of that facility from accessing the server and stealing the data.
Despite these shortcomings, this is the form of security used by the vast majority of internet-based applications.
2) Password based authentication with encrypted database
This is the kind of security you might use for making credit card transactions online. It's similar scenario to option 1, but this time the data in the database is now encrypted using a combination of public and private keys. So even if someone was able to hack into the database, or steal the database from the server facility, they wouldn't be able to access any of the data.
The trade off for such security is that the data has to be encrypted/decrypted every time it is accessed. This is slower than accessing a non-encrypted database, and means that if the password is lost there is no way to recover the data.
3) Encrypted database with multi-factor authentication
This is the kind of security you might use for accessing your online banking account, or corporate VPN. Multi-factor authentication combines something you
know (e.g. your password) with something you
have (e.g. a fingerprint). A common way of implementing this security method is to provide users with a key fob which generates a unique code every 60 seconds - to log into the system the user needs both their secret password and the code from the key fob. The advantage of this system is that even if a key-logger managed to steal your password and unique code, the unique code will most likely have expired by the time an attacker tries to use it.
This type of security can be used with both an encrypted and a non-encrypted database. An obvious drawback of this technique is that every user of the system has to be issued with a physical item (e.g. a key fob), which can be lost, stolen, malfunction, etc.