Ledger Donjon, the security research team at Ledger, claims it took Kaspersky almost two years to patch the vulnerability, which was first flagged in 2019.
“The password generator included in Kaspersky Password Manager (KPM) had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds,” wrote Ledger Donjon’s head of security research, Jean-Baptiste Bédrune.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
- These are the best password generators
- Here’s our list of the best password managers
- We’ve also compiled a list of the best password managers for businesses
Not random enough
In his unraveling of the flaw, tracked as CVE-2020-27020, Bédrune says that the method KPM used to generate its passwords was complex enough to stand against standard password crackers, but at the same time was weak enough to fall prey to dedicated tools.
Bédrune faults KPMs use of the current system time as the random seed value, which despite the one-second animation of rapidly shifting random characters to obscure the moment the actual password is generated, only made the problem harder to spot.
This lack of randomness meant passwords could be brute-forced in a matter of minutes, and perhaps even in seconds if the exact creation time is known.
“Moreover, passwords from leaked databases containing hashed passwords, passwords for encrypted archives, TrueCrypt/Veracrypt volumes, etc. can be also easily retrieved if they had been generated using Kaspersky Password Manager,” writes Bédrune who demonstrated the vulnerability using a proof-of-concept.
Kaspersky has now fixed the vulnerability in all their apps, and all KPM users are advised to update to the latest version without delay.
- We’ve also rounded up the best security keys