Recently, a safety researchers said that a vulnerability in the Kaspersky Password Manager caused its created password security to decrease, and an attacker can perform violent crack in a few seconds.
Kaspersky Code Manager (KPM) developed by Russian Security Corporate Kaspersky can not only make users safely store passwords and documents, but also generate a password when needed.
All sensitive data stored in the KPM vault is protected by master code. The app is suitable for Windows, Macos, Android, and iOS, even if sensitive data can also be accessed through network.
About two years ago, the LEDger Safety Researcher Jean-Baptisteb¨¦drune found that the application’s problem was that the security password generation mechanism was weak, and an attacker could violently crack the password created by KPM in a few seconds.
KPM can generate a 12-character password by default, but allows the user to perform password personalization modifications by modifying settings in the KPM interface (eg, password length, case of cases, numbers, numbers, and special characters).
Ledger researchers explained that KPM’s problems are also different from other password managers: to create a new password as possible with generated passwords, the application becomes predictable.
“The password is originally created to prevent the common password crack program from being cracked. However, the attacker has mastered the algorithm used by the KPM generated password.” Said B¨¦drune.
“We can conclude that the password generation algorithm itself is not so bad, it will resist the crack tool. But if an attacker knows a target person using the KPM generated password, it will be easier to crack it.” Said the researchers said.
The vulnerability is tracked as CVE-2020-27020, which is related to a pseudo-random number generator (PRNG) using a non-encrypted secure. The desktop app uses Mersenne TwisterPRNG, and the network version uses the math.random () function, which is not suitable for generating encrypted security information.
The researchers found that KPM uses system time as seeds to generate each password, which means that each KPM instance in the world generates an exact same password in a given specific time.
“The consequences of this vulnerability are obviously very bad, and each password may be crackled by violence. For example, there is 315619200 seconds between 2010 and 2021, so KPM can generate 315619,200 passwords for a given character set, violent crack They only take a few minutes. “B¨¦drune said.
Kabas is published in 2019, but announced only in April 2021.
“The password generator is not completely powerful in encryption. In some cases, the attacker may predict the user’s password after knowing some additional information (eg, password generation time). All KPM public versions that may have this problem Now updated the new password generation logic and password update alert. “Kaspersky pointed out in its announcement.
At the same time, the announcement also recommends that users will be updated to Kaspersky Password Manager for Windows 9.0.2 Patch F, Kasperskypassword Manager for Android 184.108.40.2062 and Kaspersky Password Manager for iOS220.127.116.11.