Kaspersky’s Password Manager had a fault in its password-generating technique, that led the service to suggest weak passwords for users for months.
After the fault was found, Kaspersky informed the users to update their weak passwords and rolled out a patch to fix the issue. The issue pertained to an old version of all KPM clients, which are now updated.
Fault in Kaspersky Password Manager
Kaspersky, a cybersecurity firm offering a range of products from antivirus software to threat monitoring, has one of its products – password manager bugged with a serious design fault.
Disclosing after two years, Kaspersky admitted to having the weakest password generator in its Kaspersky Password Manager (KPM) tool.
This was spotted by a security consultancy called Donjon, who said that KPM had used a pseudo-random number generator (PRNG) for suggesting strong passwords to its KPM users.
The PRNG technique was insufficient in creating random strong passwords and is not suited for cryptographic uses. And more importantly, it’s based on creating passwords using a single source of entropy – the current time of the device.
This makes it vulnerable as if the attacker manages to find out the current time of password creation, it could brute forced in seconds!
For example, as the Donjon team explained, “there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset.” Thus, brute-forcing them takes few minutes.
Kaspersky realized the threat and issued a patch to the Windows client earlier, but it still had glitches. Later, it rolled out actual patches to the web, Windows, Android, and iOS between October and December 2019.”
These would notify users about weak passwords they’re having and can update them to the strong ones. The issue was tracked with CVE-2020-27020 ID and advised users to update their clients for better security.