Nonetheless, the lack of randomness meant that for any given password character set, the possible passwords created over time are limited enough they can be brute-forced in a few minutes. All the passwords it created could be bruteforced in seconds." Its single source of entropy was the current time. "The most critical one is that it used a PRNG not suited for cryptographic purposes. "The password generator included in Kaspersky Password Manager had several problems," the Donjon research team explained in a blog post on Tuesday. In the sense that I’ve never seen so many broken things in one simple piece of code. I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. Three months later, a team from security consultancy Donjon found that KPM didn't manage either task particularly well – the software used a pseudo-random number generator (PRNG) that was insufficiently random to create strong passwords.įrom that time until the last few months of 2020, KPM was suggesting passwords that could be easily cracked, without flagging the weak passwords for users. In March 2019, security biz Kaspersky Lab shipped an update to KPM, promising that the application could identify weak passwords and generate strong replacements. On Twitter, Facebook, Google News, and Instagram.Last year, Kaspersky Password Manager (KPM) users got an alert telling them to update their weaker passwords. "All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough," Kaspersky said in the advisory.įollow HT Tech for the latest tech news and reviews, also keep up with us The company finally released an advisory in April 2021, detailing which versions of its software were impacted by the issue. A year later, the company notified its users that they would need to change some passwords. The researcher informed Kaspersky of the issue in June 2019 and the company worked on a fix that was issued four months later in October. The service should notify you about these passwords, which should make the process easier. If you've been a user for longer, some of your passwords generated during or before 2019 may need to be regenerated. If you created an account with Kaspersky Password Manager after October 2019, you should be protected from the security flaw that enabled the generation of less secure passwords. The obvious downside to using this system was that a hacker who knows their target is using Kaspersky Password manager could break into the system much faster by trying these letter combinations. Kaspersky would use uncommon letter groupings like zr or qz to make passwords. Bruteforcing them takes a few minutes." he added.Īlso read: Looking for a smartphone? Check Mobile Finder here.īédrune also discovered a second flaw that the company probably created to defeat dictionary attacks – a technique used by hackers who systematically enter every word in a dictionary in order to find a password, according to the report. For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. "The consequences are obviously bad: every password could be bruteforced. "It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," said Jean-Baptiste Bédrune, head of security at Ledger Donjon. Password managers use a random number generator to create secure passwords, but Kaspersky was reportedly using the system time as a ‘seed'. A researcher who responsibly disclosed the flaw to Kaspersky to allow them to fix the issue explained that there were two flaws in the password management solution, as ZDNet reports.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |