Kaspersky Password Manager Was Generating Easily Guessable Passwords

  • Passwords generated with older versions of the Kaspersky Password Manager are easily crackable.
  • This is due to a series of fundamental cryptographic errors that create a probabilistic guessing model.
  • Kaspersky suggests replacing older passwords with newly generated ones.

The Kaspersky Password Manager was found to be generating weak passwords that are easy to brute-force by researchers at Ledger Donjon, who began analyzing the software two years ago. Password generation is a key side-function of password managers, helping users create and assign lengthy passwords with random characters that make up for a strong result. In the case of Kaspersky’s tool, though, it appears that any passwords generated on it could be guessed by a computer in mere seconds.

The way Kaspersky Password Manager was set to generate passwords is seemingly complex, involving random floats, a multiplication step for increased entropy, and character picking based on dictionary infrequency. Additionally, the password generator uses the system time as a seed, and if a hacker correlates this with the account creation, they could narrow down the results to 100 probable passwords. Even in more vague cases, the number of passwords wouldn’t be more than a thousand.

Source: Donjon Ledger

This creates a probabilistic model upon which a password cracker would rely. If the password isn’t long enough (less than 12 characters), free tools like ‘John the Ripper’ would be able to guess it quickly, as long as the cracker knows the pass was generated on Kaspersky and sets the parameters accordingly. If the password is longer, but the cracker knows the time of creation, it would take a couple of minutes to brute-force it.

Source: Donjon Ledger

All of that was discovered and reported to Kaspersky back in June 2019, and the security company pushed the first fix in October of that year. However, that fix wasn’t completely free of defects, so it took another year to address the problem properly on all platforms, assign a CVE code (CVE-2020-27020), and alert users that they need to re-generate their passwords.

In April 2021, Kaspersky published an advisory, and in May, technical information for the vulnerability was published. If you have generated any passwords on KPM versions prior to those shown below, consider them easily crackable. In this case, update your software and generate new ones.

  • Kaspersky Password Manager for Windows 9.0.2 Patch F
  • Kaspersky Password Manager for Android 9.2.14.872
  • Kaspersky Password Manager for iOS 9.2.14.31

As for Kaspersky’s engineers, they have learned never to use “time” for seeding passwords, never to use floats in cryptography, always use a cryptographic random number generator, and to convert from bits to an alphabet of symbols.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari