Skip to main content

Kaspersky's random password generator isn't actually random at all

Security Key
(Image credit: Pixabay)

Cybersecurity researchers have found a weakness in the Kaspersky Password Manager platform which created cryptographically weak passwords that could be brute forced.

Ledger Donjon, the security research team at Ledger, claims it took Kaspersky almost two years to patch the vulnerability, which was first flagged in 2019.

“The password generator included in Kaspersky Password Manager (KPM) had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds,” wrote Ledger Donjon’s head of security research, Jean-Baptiste Bédrune.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

Not random enough

In his unraveling of the flaw, tracked as CVE-2020-27020, Bédrune says that the method KPM used to generate its passwords was complex enough to stand against standard password crackers, but at the same time was weak enough to fall prey to dedicated tools.

Bédrune faults KPMs use of the current system time as the random seed value, which despite the one-second animation of rapidly shifting random characters to obscure the moment the actual password is generated, only made the problem harder to spot.

This lack of randomness meant passwords could be brute-forced in a matter of minutes, and perhaps even in seconds if the exact creation time is known.

“Moreover, passwords from leaked databases containing hashed passwords, passwords for encrypted archives, TrueCrypt/Veracrypt volumes, etc. can be also easily retrieved if they had been generated using Kaspersky Password Manager,” writes Bédrune who demonstrated the vulnerability using a proof-of-concept.

Kaspersky has now fixed the vulnerability in all their apps, and all KPM users are advised to update to the latest version without delay.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.