Kaspersky Password Manager generated easily cracked passwords

Posted:
in iOS edited July 7
Security researchers show that Kaspersky used the current time to generate passwords prior to a 2019 update, which led to easy to crack passwords.

Kaspersky Password Manager made easy to crack passwords prior to October 2019
Kaspersky Password Manager made easy to crack passwords prior to October 2019


Password generators are not always entirely random since there is potential for weak passwords in entirely random sequences. However, rather than use several layers of logic to develop a strong password, Kaspersky was using only the current time to determine a generated password.

ZDNet shared research performed by Ledger Donjon explaining the issue behind using this kind of logic to generate a password. According to the research, it meant every instance of Kaspersky in the world would generate the same password at a given second.

"If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password," said Ledger Donjon's head security researcher. "Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool."

So, someone trying to hack a user's account need only know when the account was created and if the Kaspersky Password Manager was used. Every password created could be easily bruteforced.

"For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset," the researcher continued. "Bruteforcing them takes a few minutes."

KPM versions before 9.0.2 Patch F on Windows, 9.2.14.872 on Android, or 9.2.14.31 on iOS were affected.

Kaspersky was informed of the vulnerability in June 2019 and released a fix using new password logic in October of that year. Users who have newer versions are advised to update potentially weak passwords, but any password created before October 2019 could be at risk.

Kaspersky reached out to AppleInsider with a statement about the matter.

"Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool. This issue was only possible in the unlikely event that the attacker knew the user's account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings."

"The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing."

"We recommend that our users install the latest updates. To make the process of receiving updates easier, our home products support automatic updates."

Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.

Comments

  • Reply 1 of 11
    Dead_PoolDead_Pool Posts: 60member
    In Russia, passwords crack you. 
    WgkruegerStrangeDaysOferwatto_cobra
  • Reply 2 of 11
    22july201322july2013 Posts: 2,511member
    Neither this article nor the ZDnet article asked whether this "mistake" could have been created ON PURPOSE. I suppose ZDnet and AI would never consider the idea that crypto code coming from a country that has nukes aimed at us would ever do anything intentional to harm us. I wonder how many other "mistakes" there could be in that product.
    qwerty52maltzOferwatto_cobra
  • Reply 3 of 11
    otrfanotrfan Posts: 4unconfirmed, member
    I don’t understand how anyone would trust a Russian product like this. I have nothing against Russians but the “government” is certainly untrustworthy. 
    igorskymaltzOferbuttesilverwatto_cobra
  • Reply 4 of 11
    igorskyigorsky Posts: 576member
    otrfan said:
    I don’t understand how anyone would trust a Russian product like this. I have nothing against Russians but the “government” is certainly untrustworthy. 
    As a Russian person, I wholeheartedly agree with you.  You cannot safely use anything out of Russia or China since those companies are at the mercy of their respective authoritarian regimes in which they do business.  Simple as that.
    edited July 7 StrangeDaystokyojimuqwerty52maltzOferbuttesilverRayz2016watto_cobra
  • Reply 5 of 11
    qwerty52qwerty52 Posts: 311member
    Neither this article nor the ZDnet article asked whether this "mistake" could have been created ON PURPOSE. I suppose ZDnet and AI would never consider the idea that crypto code coming from a country that has nukes aimed at us would ever do anything intentional to harm us. I wonder how many other "mistakes" there could be in that product.

    I thought just the same, when I read it this article. I don’t trust products coming from Russia or China. Especially software!
    Oferwatto_cobra
  • Reply 6 of 11
    Kaspersky has since replaced the password generator with one that is far more difficult to determine how it easy it is to crack.
    baconstang
  • Reply 7 of 11
    mknelsonmknelson Posts: 824member
    Neither this article nor the ZDnet article asked whether this "mistake" could have been created ON PURPOSE. I suppose ZDnet and AI would never consider the idea that crypto code coming from a country that has nukes aimed at us would ever do anything intentional to harm us. I wonder how many other "mistakes" there could be in that product.
    That's the difference between journalism and punditry.

    Responsible journalists report the facts, they don't leave open ended questions. Investigate, then disseminate.
    OferFileMakerFellerwatto_cobra
  • Reply 8 of 11
    baconstangbaconstang Posts: 780member
    I usually use 9 or 10 characters.  Upper and lower case, numerals and a few symbols.

    So, 26 times 2, plus 15 is 67 to the ninth power is 2.72e16....about 27 quadrillion combos.  Should take a while to crack.
    edited July 7 watto_cobra
  • Reply 9 of 11
    gatorguygatorguy Posts: 23,165member
    I usually use 9 or 10 characters.  Upper and lower case, numerals and a few symbols.

    So, 26 times 2, plus 15 is 67 to the ninth power is 2.72e16....about 27 quadrillions combos.  Should take a while.
    Don't lose your phone even with that long and complicated password protecting it. I expect an article within hours discussing a ridiculously easy way of cracking every iPhone from the 5 to the 11. Use eSIMS when available instead of a physical one, which is what I've begun doing, and close another loophole.   
    baconstang
  • Reply 10 of 11
    Oh, uh, Wesley —

    Use hyphens to connect two or more words placed before the word they describe: "easy-to-crack passwords."

    Use no hyphens when those same words come after the word they're describing: "The passwords were easy to crack."

    Not that knowing this standard convention would make your writing easier to decipher or anything…
  • Reply 11 of 11
    15 months to issue a fix???

    Somebody's not especially serious about security. Or maybe they believe their own public statement, as opposed to the opinion of a security researcher.
    watto_cobra
Sign In or Register to comment.