![]() ![]()
“The password generator in Kaspersky Password Manager had several problems. Most critical was that he used a pseudo-random number generator that was unusable for cryptographic purposes. The only source of entropy in it was the current system time, and all the passwords that it created could be found in a matter of seconds, ”the experts say. #Kaspersky password manager fixes generated easily update#Other than that? Keep using a password manager and enable two-factor authentication.Last year, the developers of Kaspersky Password Manager (KPM) asked users to update their passwords to stronger ones. Now the specialists of Ledger Donjon (the information security division of the Ledger company, which develops crypto wallets), talked about why this happened, and what problems they discovered in KPM some time ago.Įxperts remind that in March 2019, Kaspersky Lab released an update for KPM, promising that now the application will be able to identify weak passwords and generate more reliable replacements for them. Three months later, the Ledger Donjon team found that KPM was not doing very well with this, as it used a pseudo-random number generator that did not produce enough random results to generate strong passwords. In particular, the characters in the passwords were generated and placed in a not entirely random way. So what does this mean for the average KPM user? Well, if they've been using the same KPM-generated passwords for over two years (a habit that would typically be fine), they should create new ones. #Kaspersky password manager fixes generated easily how to#SEE ALSO: Why you need a secret phone number (and how to get one) "The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing." That alert also noted that, going forward, the password manager had fixed the issue - a claim echoed by the spokesperson. "An attacker would need to know some additional information (for example, time of password generation)." "Password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases," read the alert. Kaspersky also published a security advisory detailing the flaw in April of 2021. "It would also require the target to lower their password complexity settings." ![]() "This issue was only possible in the unlikely event that the attacker knew the user's account information and the exact time a password had been generated," wrote a company spokesperson. When reached for comment, Kaspersky confirmed - but downplayed - the problem identified by Bédrune. "All the passwords it created could be bruteforced in seconds," writes Bédrune.īédrune's team submitted the vulnerability to Kaspersky through HackerOne's bug bounty program in June of 2019, and Ledger's blog post says Kaspersky notified potentially affected users in October of 2020. #Kaspersky password manager fixes generated easily crack#Knowing when the password was generated, even approximately, would therefore give a hacker vital information in an attempt to crack a victim's account. While that sounds super technical, it essentially boils down to KPM using the time as the basis for its pseudo random number generator. Unfortunately, according to security researcher Jean-Baptiste Bédrune, a bad coding decision meant that the passwords it generated weren't truly random and as a result were relatively easy to brute force - a hacking technique using specialized tools to try hundreds of thousands (or millions) of password combinations in an attempt to guess the right one.īédrune, who is a security researcher for the cryptocurrency hard-wallet company Ledger, writes that when generating a supposedly random password, KPM used the current time as its "single source of entropy." ![]() #Kaspersky password manager fixes generated easily free#The Kaspersky Password Manager (KPM), a free tool used to generate and manage online passwords, has long been a popular alternative to the likes of LastPass or 1Password. ![]() Password managers are a vital line of defense in the battle for internet security - which makes it all the more painful when they shit the bed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |