Software

Kaspersky Password Manager Was Not Secure For a Long Time

Password managers are a good thing because they allow you to collect today’s numerous and hopefully secure passwords without having to remember each one. Kaspersky also has such a “safe”. The problem: This one was easy to crack.

What do you expect from a security company and a password manager? The answer is easy: that they are secure. After all, you want to rely on such a manager and generate and store hundreds and even thousands of passwords there. But for years, that wasn’t the case with Kaspersky Password Manager, as a security researcher named Jean-Baptiste Bédrune has now uncovered as reported by ZDNet.

That’s because Kaspersky Password Manager (KPM) used a complex method to generate its passwords. Bédrune: “The goal of this method was to generate passwords that are difficult for standard password crackers to crack. However, this method lowered the strength of the generated passwords compared to specialized tools.”

One of KPM’s methods was to make greater use of letters that are not as common to trick cracker tools that use brute-force approaches. While this is a “clever” idea, according to Bédrune, it has a drawback: it can be easily exploited when specifically attacking or reading KPM passwords.

The Real Flaw

But that was not the real flaw: Because the KPM used the current system clock time in seconds as a Mersenne Twister pseudo-random number generator. This has a serious consequence, as the security researcher explains: “It means that every instance of Kaspersky Password Manager in the world generates exactly the same password at a given second.”

The reason why someone hasn’t noticed this already is due to an animation that can be seen when the password is generated, which lasts longer than a second. “The consequences are obviously bad: any password could be cracked by brute force,” Bédrune said. “Between 2010 and 2021, there are 315619200 seconds, so KPM could generate a maximum of 315619200 passwords for a given character set. Forcing the passwords only takes a few minutes.”

The fact that it wasn’t quite that easy after all was due to an (unintended) entropy factor, namely a faulty algorithm. There is also criticism of the manufacturer’s reaction: Kaspersky was already informed about the gap in 2019 but was slow to react. There was an update a few months later, but it took more than a year for a new version of the application, the disclosure of the gap even followed this year.

Share
Published by
Research Snipers

Recent Posts

Samsung Galaxy Tab S12 Ultra Leak shows design of the high-end tablet

New render images provide a preview of the upcoming Samsung Galaxy Tab S12 Ultra. While…

9 hours ago

TSMC wants to remain No. 1 in chips: A14, A13, A12 nodes from 2028

Taiwan Semiconductor Manufacturing Company (TSMC) has once again provided an outlook on its plans for…

9 hours ago

Apple iPad Mini 8 with OLED screen probably coming in autumn

The iPad Mini could soon see notable innovations for the first time in years. According…

9 hours ago

Pixel 11 Pro Fold Leak: Expected function appears to be missing

A current leak shows Google's upcoming folding smartphone in a new color variant. In addition…

9 hours ago

Tesla to introduce a bike, but not in the way you might think

The car manufacturer Tesla has brought a new two-wheeler onto the market. However, this is…

10 hours ago

Crash in the smartphone market: lowest sales figures in 13 years

The global smartphone market is experiencing a severe downturn, recording its worst quarter in 13…

1 day ago