![]() If you created an account with Kaspersky Password Manager after October 2019, you should be protected from the security flaw that enabled the generation of less secure passwords. The obvious downside to using this system was that a hacker who knows their target is using Kaspersky Password manager could break into the system much faster by trying these letter combinations. Kaspersky would use uncommon letter groupings like zr or qz to make passwords. Bruteforcing them takes a few minutes." he added.Īlso read: Looking for a smartphone? Check Mobile Finder here.īédrune also discovered a second flaw that the company probably created to defeat dictionary attacks – a technique used by hackers who systematically enter every word in a dictionary in order to find a password, according to the report. For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. "The consequences are obviously bad: every password could be bruteforced. "It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," said Jean-Baptiste Bédrune, head of security at Ledger Donjon. Password managers use a random number generator to create secure passwords, but Kaspersky was reportedly using the system time as a ‘seed'. The issue was assigned to CVE-2020-27020 and Kaspersky released a notice in April 2021.A researcher who responsibly disclosed the flaw to Kaspersky to allow them to fix the issue explained that there were two flaws in the password management solution, as ZDNet reports. In October 2020, Kaspersky KPM 9.0.2 released Patch M, which included a notification to users that certain weak passwords need to be regenerated. “īetween October and December 2019, a number of fixes – because the original Windows patch did not work properly – were rolled out for the web, Windows, Android and iOS. âFor example, between 20 there are 315619200 seconds, so KPM could generate a maximum of 315619200 passwords for a given character set. “The consequences are obviously dire: any password could be brutally enforced,” wrote the Donjon team. And if the creation time of an account is known – which, according to Donjon, is often displayed in online forums – the spectrum of possibilities becomes significantly smaller and the time for brute force attacks is reduced to seconds. Nonetheless, the lack of randomness has meant that the possible passwords that can be generated over time for a given password character set are limited enough to be brute force enforced in minutes. All of the passwords he created could be brutally enforced in a matter of seconds. Its only source of entropy was the current time. ÂThe most critical point is that a PRNG was used that is not suitable for cryptographic purposes. “The password generator included in Kaspersky Password Manager had several problems,” said the Donjon research team in a blog post on Tuesday. In the sense that I’ve never seen so many broken things in one simple piece of code. I wanted to laugh at this Kaspersky Password Manager bug, but it is * amazing *. ![]() Three months later, a team from security consultancy Donjon found that KPM was not doing both tasks particularly well – the software was using a pseudo-random number generator (PRNG) that was not random enough to generate strong passwords.įrom then until the final months of 2020, KPM suggested passwords that were easy to crack without flagging the weak passwords for users. ![]() In March 2019, security firm Kaspersky Lab delivered an update to KPM that promised the application could detect weak passwords and generate strong replacements. Last year, Kaspersky Password Manager (KPM) users received an alert asking them to update their weaker passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |