Hoping to protect users against Internet eavesdroppers, Security Dynamics Technologies today announced a product that promises to strengthen the security of passwords significantly.
Security Dynamics said it will offer SoftID, which generates a unique, onetime password every 60 seconds for corporate users that require secure access to information across the Internet and intranet.
Typically, a password--usually the same one--is entered each time a user logs on to a network or server, but hackers can intercept and reuse these passwords using a sophisticated piece of software called a "sniffer."
To guard against password sniffing, many companies have used security devices that generate new passwords each time users log on. These devices are attached to company computers, and users insert ATM-like identification cards in them before logging on. Sold by Security Dynamics and other vendors, these devices are highly effective but often disliked by users because they must carry the card and worry about losing it.
A software-only solution is easier because it runs directly from the user's desktop and doesn't require the use of the actual cards. The company said it has partnered with more than 40 vendors, including IBM, Oracle, and Shiva, to ensure that SoftID works with a broad range of products.
But analysts said SoftID will not provide as much security as the hardware-based password devices.
"While software is just as good protecting against sniffer attacks as hardware, if someone steals your laptop you've got a problem," said John Pescatore, research director of information security at International Data Corporation Government, a research firm. Password programs "are still one step below the hardware side, but there's vast resistance to using hardware cards among companies."
SoftID will be available in the second quarter for Windows 3.1, Windows 95, and Windows NT Workstation for $34.95 per user. It requires ACE/Server, Security Dynamics's server technology, which is priced starting at $2,450.
A similar freeware program for generating one-time passwords called S/Key is already widely available on the Internet.