Password managers are a good thing because they allow you to collect today’s numerous and hopefully secure passwords without having to remember each one. Kaspersky also has such a “safe”. The problem: This one was easy to crack.
What do you expect from a security company and a password manager? The answer is easy: that they are secure. After all, you want to rely on such a manager and generate and store hundreds and even thousands of passwords there. But for years, that wasn’t the case with Kaspersky Password Manager, as a security researcher named Jean-Baptiste Bédrune has now uncovered as reported by ZDNet.
That’s because Kaspersky Password Manager (KPM) used a complex method to generate its passwords. Bédrune: “The goal of this method was to generate passwords that are difficult for standard password crackers to crack. However, this method lowered the strength of the generated passwords compared to specialized tools.”
One of KPM’s methods was to make greater use of letters that are not as common to trick cracker tools that use brute-force approaches. While this is a “clever” idea, according to Bédrune, it has a drawback: it can be easily exploited when specifically attacking or reading KPM passwords.
The Real Flaw
But that was not the real flaw: Because the KPM used the current system clock time in seconds as a Mersenne Twister pseudo-random number generator. This has a serious consequence, as the security researcher explains: “It means that every instance of Kaspersky Password Manager in the world generates exactly the same password at a given second.”
The reason why someone hasn’t noticed this already is due to an animation that can be seen when the password is generated, which lasts longer than a second. “The consequences are obviously bad: any password could be cracked by brute force,” Bédrune said. “Between 2010 and 2021, there are 315619200 seconds, so KPM could generate a maximum of 315619200 passwords for a given character set. Forcing the passwords only takes a few minutes.”
The fact that it wasn’t quite that easy after all was due to an (unintended) entropy factor, namely a faulty algorithm. There is also criticism of the manufacturer’s reaction: Kaspersky was already informed about the gap in 2019 but was slow to react. There was an update a few months later, but it took more than a year for a new version of the application, the disclosure of the gap even followed this year.
Brian is the news author at Research Snipers which mainly covers Technology News, Microsoft News, Google News, Facebook, Apple, Huawei, Xiaomi, and other tech news.