![]() “For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. “The consequences are obviously bad: every password could be bruteforced,” he said. ![]() “It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Bédrune said.īecause the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered. The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool.” “If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. “Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. “Their password cracking method relies on the fact that there are probably ‘e’ and ‘a’ in a password created by a human than ‘x’ or ‘j’, or that the bigrams ‘th’ and ‘he’ will appear much more often than ‘qx’ or ‘zr’,” he said. One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bédrune said was probably an attempt to trick password cracking tools. However, such method lowers the strength of the generated passwords against dedicated tools,” Bédrune wrote. This method aimed to create passwords hard to break for standard password crackers. Kaspersky recommends its users to check the application version and install the latest updates.“Kaspersky Password Manager used a complex method to generate its passwords. It further added, “The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing.” It would also require the target to lower their password complexity settings.” “This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. “Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool,” Kaspersky said in a statement. “All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough.”Īlthough the issue has now been patched, several KPM versions before 9.0.2 Patch F on Windows, Android prior to 9.2.14.872, and iOS prior to 9.2.14.31 were affected. An attacker would need to know some additional information (for example, time of password generation),” the company said in its security advisory published on April 27, 2021. “Password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. In October 2020, users were notified that some passwords would need to be generated. Kaspersky was informed of the vulnerability in June 2019 for which the company released the fixed version in October 2019. can be also easily retrieved if they had been generated using KPM. Moreover, passwords from leaked databases containing hashed passwords, passwords for encrypted archives, TrueCrypt/Veracrypt volumes, etc. Since the websites or forums display the creation time of accounts, an attacker can try to brute force the account password with a small range of passwords (~100) and gain access to it. Bruteforcing them takes a few minutes,” he added. For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. “The consequences are obviously bad: every password could be bruteforced.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |