Kaspersky Password Manager Was Generating Easily Guessable Passwords

  • Passwords generated with older versions of the Kaspersky Password Manager are easily crackable.
  • This is due to a series of fundamental cryptographic errors that create a probabilistic guessing model.
  • Kaspersky suggests replacing older passwords with newly generated ones.

The Kaspersky Password Manager was found to be generating weak passwords that are easy to brute-force by researchers at Ledger Donjon, who began analyzing the software two years ago. Password generation is a key side-function of password managers, helping users create and assign lengthy passwords with random characters that make up for a strong result. In the case of Kaspersky’s tool, though, it appears that any passwords generated on it could be guessed by a computer in mere seconds.

The way Kaspersky Password Manager was set to generate passwords is seemingly complex, involving random floats, a multiplication step for increased entropy, and character picking based on dictionary infrequency. Additionally, the password generator uses the system time as a seed, and if a hacker correlates this with the account creation, they could narrow down the results to 100 probable passwords. Even in more vague cases, the number of passwords wouldn’t be more than a thousand.

Source: Donjon Ledger

This creates a probabilistic model upon which a password cracker would rely. If the password isn’t long enough (less than 12 characters), free tools like ‘John the Ripper’ would be able to guess it quickly, as long as the cracker knows the pass was generated on Kaspersky and sets the parameters accordingly. If the password is longer, but the cracker knows the time of creation, it would take a couple of minutes to brute-force it.

Source: Donjon Ledger

All of that was discovered and reported to Kaspersky back in June 2019, and the security company pushed the first fix in October of that year. However, that fix wasn’t completely free of defects, so it took another year to address the problem properly on all platforms, assign a CVE code (CVE-2020-27020), and alert users that they need to re-generate their passwords.

In April 2021, Kaspersky published an advisory, and in May, technical information for the vulnerability was published. If you have generated any passwords on KPM versions prior to those shown below, consider them easily crackable. In this case, update your software and generate new ones.

  • Kaspersky Password Manager for Windows 9.0.2 Patch F
  • Kaspersky Password Manager for Android 9.2.14.872
  • Kaspersky Password Manager for iOS 9.2.14.31

As for Kaspersky’s engineers, they have learned never to use "time" for seeding passwords, never to use floats in cryptography, always use a cryptographic random number generator, and to convert from bits to an alphabet of symbols.

Latest
How to Watch Kings of BBQ Online from Anywhere
Kings of BBQ follows Anthony Anderson, an Emmy-nominated performer and producer, and Cedric The Entertainer, an established comedian, as they take their...
How to Watch Hip Hop Treasures Online from Anywhere
Ice T and LL Cool J have teamed up to celebrate hip-hop's 50th anniversary in Hip Hop Treasures, a show focused on...
How to Watch New York Homicide Season 2 Online from Anywhere
In a bustling city like New York, crimes are bound to happen left and right. New York Homicide Season 2 explores different...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari