Cybersecurity researchers have found a weakness in the Kaspersky Password Manager platform which created cryptographically weak passwords that could be brute forced.
Ledger Donjon, the security research team at Ledger, claims it took Kaspersky almost two years to patch the vulnerability, which was first flagged in 2019.
“The password generator included in Kaspersky Password Manager (KPM) had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds,” wrote Ledger Donjon’s head of security research, Jean-Baptiste Bédrune.
- These are the best password generators
- Here’s our list of the best password managers
- We’ve also compiled a list of the best password managers for businesses
Not random enough
In his unraveling of the flaw, tracked as CVE-2020-27020, Bédrune says that the method KPM used to generate its passwords was complex enough to stand against standard password crackers, but at the same time was weak enough to fall prey to dedicated tools.
Bédrune faults KPMs use of the current system time as the random seed value, which despite the one-second animation of rapidly shifting random characters to obscure the moment the actual password is generated, only made the problem harder to spot.
This lack of randomness meant passwords could be brute-forced in a matter of minutes, and perhaps even in seconds if the exact creation time is known.
“Moreover, passwords from leaked databases containing hashed passwords, passwords for encrypted archives, TrueCrypt/Veracrypt volumes, etc. can be also easily retrieved if they had been generated using Kaspersky Password Manager,” writes Bédrune who demonstrated the vulnerability using a proof-of-concept.
Kaspersky has now fixed the vulnerability in all their apps, and all KPM users are advised to update to the latest version without delay.
- We’ve also rounded up the best security keys