Kaspersky Password Manager, the password manager of the Russian-based antivirus company, created insecure passwords for years. A vulnerability in the application made it possible for hackers to predict generated passwords. The company rolled out a security update two years after the vulnerability was discovered.
‘At one point the same password was created all over the world’
Kaspersky Password Manager offers users the option to create passwords. This password generator contained multiple issues. The most serious problem was that the application used a Pseudo Random Number Generator or PRNG that was not suitable for cryptographic purposes.
In principle, Kaspersky Password Manager’s PRNG provided adequate protection against brute force attacks. Special software allows hackers to enter an unlimited number of usernames and passwords until there is a match. PRNG is versatile enough to protect users from crackers. “However, this method reduces the strength of the generated passwords compared to dedicated tools,” writes researcher Jean-Baptiste Bédrune.
Kaspersky Password Manager uses a Mersenne Twister PRNG. The main danger of this is that only using the system time in seconds was used as the seed for generating passwords. “This means that every Kaspersky Password Manager in the world will generate the exact same password at some point,” says the security researcher.
Kasperksy fixes vulnerability with update
Because of this fact, it was possible to guess any password with a brute force attack. “For example, there are 315,619,200 seconds between 2010 and 2021, so KPM could have generated a maximum of 315,619,200 passwords for a given character set. Brute-forcing it only takes a few minutes,” explains Bédrune. However, this only applies to passwords whose character set -the length of generated passwords- has never been modified. Kaspersky defaults to twelve characters
This vulnerability – also known as CVE-2020-27020 – was reported to Kaspersky in June 2019. The Russian antivirus company has now closed the leak with a security update. The company made the details public on Tuesday.
How to choose a good password manager
Good password management is important, but easier said than done. Many Dutch people come up with a simple password or reuse the same access code for multiple online accounts. That is of course not smart: if a hacker manages to find out your password, all your accounts are at risk.
Fortunately, there is a solution to this problem: a password manager. This tool helps you create and store strong passwords. As soon as you visit a website for which you have created an account and want to log in, a password manager will automatically fill in your login name and password. The only password you need to remember is that of your password manager.
Wondering what to look out for when selecting a password manager? Or what are the best password managers right now? VPNGids.nl answers both questions in the article ‘Best password manager of 2021 – Which password manager should I take?’. We also explain the difference between free and paid password managers, and how secure they are.
Catch up on more articles here
Follow us on Twitter here