Last year, the developers of Kaspersky Password Manager (KPM) asked users to update their passwords to stronger ones. Now the specialists of Ledger Donjon (the information security division of the Ledger company, which develops crypto wallets), talked about why this happened, and what problems they discovered in KPM some time ago.Įxperts remind that in March 2019, Kaspersky Lab released an update for KPM, promising that now the application will be able to identify weak passwords and generate more reliable replacements for them. Three months later, the Ledger Donjon team found that KPM was not doing very well with this, as it used a pseudo-random number generator that did not produce enough random results to generate strong passwords. In particular, the characters in the passwords were generated and placed in a not entirely random way. #Kaspersky password manager flaw bruteforced passwords update# Since users tend to compromise their safety for the sake of convenience. Services like Kaspersky Password Manager allow users to save their complex, hard-to-remember passwords in an encrypted vault instead of unsafely writing them down on sticky notes. “The password generator in Kaspersky Password Manager had several problems. Most critical was that he used a pseudo-random number generator that was unusable for cryptographic purposes. The only source of entropy in it was the current system time, and all the passwords that it created could be found in a matter of seconds, ”the experts say. Educate users on safe practices and tools to help them keep track of their passwords. #Kaspersky password manager flaw bruteforced passwords generator# Kaspersky password manager flaw bruteforced passwords generator Kaspersky password manager flaw bruteforced passwords update The fact is that KPM was created to generate 12-digit passwords by default, although it allowed users to personalize their passwords by changing settings, including password length, uppercase and lowercase letters. The fact is that KPM was created to generate 12-digit passwords by default, although it allowed users to personalize their passwords by changing settings, including password length, uppercase and lowercase letters, numbers, and special characters. Researchers at Ledger Donjon say that by striving to create passwords that are as different as possible from passwords generated by the people themselves, the application has become predictable. #Kaspersky password manager flaw bruteforced passwords update#.#Kaspersky password manager flaw bruteforced passwords generator#. Digital vault and self-locking Now let’s look at the protection mechanisms. After that, all you need do is lock the vault. But if you were using KPM before October 2019, you’ll want to change your passwords. When you need to visit a website, you open the vault, and then you can either manually copy the data you need into the login form, or allow the password manager to autofill the saved login credentials for the website. Kaspersky has acknowledged the problems, and said that new logic is now applied. The problem is, if an attacker knows you use KPM, they can instead mount a brute-force attack with these combinations, which can actually take less time than a standard dictionary attack. To defeat dictionary attacks, KPM generated passwords that use letter groupings not found in words – like qz or zr. (Ironically, a bug in the code ended up introducing an additional variable that mitigated the problem in some cases.)Ī second flaw was less likely to be an issue in practice, as it only helped an attacker who knew you used KPM. Bruteforcing them takes a few minutes.”īédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords. “For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. “The consequences are obviously bad: every password could be bruteforced,” he said. “It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Jean-Baptiste Bédrune said.īecause the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered. The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |