Users who have newer versions are advised to update potentially weak. Jul 7th, 2021 9:07 AM EDT Link Kaspersky Password Manager was caught creating weak passwords that were easy to brute force attack. And if you're in the market for a password manager that will keep your online activity private, we've reviewed all the top options in depth over here - none of which have run into trouble with tying their random number generators to an easily cracked algorithm. Kaspersky was informed of the vulnerability in June 2019 and released a fix using new password logic in October of that year. If you use Kaspersky's password manager, change your passwords now. But every password that has already been generated by a vulnerable version of the software is still easily crackable - a bit of a nightmare for everyone who's using the service specifically to ensure their passwords can't be cracked. Kaspersky was alerted to the issue, and has rolled out a fix. 'Password generator was not completely cryptographically strong and potentially allowed an attacker to. Any hacker who knows the trick can brute force any password: The number of seconds in the day is finite, and a hacker can run through all 315,619,200 passwords tied to the seconds of the decade between 20 in just a few minutes.Īnd, if an online account publicly displays the date that it was created on, a hacker will need to run even fewer potential passwords before cracking a Kaspersky password. Kaspersky also published a security advisory detailing the flaw in April of 2021. The reason people didn't notice that every password generated in the same second was the exact same is because the interface has a one-second animation that it plays, ensuring no one can generate two passwords in the same second.īut it's a big flaw. 'Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool,' a company spokesperson said in an email to The Register. This would be obvious to spot if every click on the ‘Generate' button, in the password generator interface, produced the same password.” The problem is that if hackers know you use KPM, they can create a brute force attack with these groups of letters. The issue was assigned CVE-2020-27020 and Kaspersky published an advisory in April, 2021. Apparently, the Kaspersky program didnt use additional sources of entropy other than the current time. Kaspersky Password Manager that could generate random passwords came to be random in itself. It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second. Passwords made with the Kaspersky tool can be brute-forced. “So the seed used to generate every password is the current system time, in seconds. Here's how Ledger Donjon, head of security research at Jean-Baptiste Bédrune, explained it in a blog post: Yes, time, one of the most predictable and non-random metrics out there. But the seed that Kaspersky was starting with was the current current system time, in seconds. So what's the problem? Well, any random number generator needs one or more sources of entropy - the element of uncertainty that ensures the result remains random.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |