The Kaspersky password manager was not at all secure and your passwords could be cracked

Darkcrizt

4 minutes

Few days ago a tremendous scandal was set up on the net by a publication made by Donjon (a security consultancy) in which basically discussed various security issues of "Kaspersky Password Manager" especially in its password generator, as it demonstrated that every password it generated could be cracked by a brute force attack.

And it is that the security consultancy Donjon he discovered that Between March 2019 and October 2020, Kaspersky Password Manager generated passwords that could be cracked in seconds. The tool used a pseudo-random number generator that was singularly unsuitable for cryptographic purposes.

Researchers discovered that the password generator it had several problems and one of the most important was that PRNG used only one entropy source In short, it was that the generated passwords were vulnerable and not at all secure.

“Two years ago, we reviewed Kaspersky Password Manager (KPM), a password manager developed by Kaspersky. Kaspersky Password Manager is a product that safely stores passwords and documents in an encrypted and password-protected safe. This safe is protected by a master password. So like other password managers, users need to remember a single password to use and manage all of their passwords. The product is available for different operating systems (Windows, macOS, Android, iOS, Web…) Encrypted data can be automatically synchronized between all your devices, always protected by your master password.

“The main feature of KPM is password management. A key point with password managers is that, unlike humans, these tools are good at generating strong and random passwords. To generate strong passwords, Kaspersky Password Manager must rely on a mechanism for generating strong passwords ”.

To the problem assigned the index CVE-2020-27020, where the caveat that "an attacker would need to know additional information (for example, the time the password was generated)" is valid, the fact is that Kaspersky passwords were clearly less secure than people thought.

"The password generator included in Kaspersky Password Manager has encountered several problems," the Dungeon research team explained in a post on Tuesday. “The most important thing is that he was using an inappropriate PRNG for cryptographic purposes. Its only source of entropy was the present tense. Any password you create could be brutally broken in seconds. "

Dungeon points out that Kaspersky's big mistake was using the system clock in seconds as a seed in a pseudo-random number generator.

"This means that every instance of Kaspersky Password Manager in the world will generate exactly the same password in a given second," says Jean-Baptiste Bédrune. According to him, every password could be the target of a brute force attack ”. “For example, there are 315,619,200 seconds between 2010 and 2021, so KPM could generate a maximum of 315,619,200 passwords for a given character set. A brute force attack on this list only takes a few minutes. "

Researchers of Dungeon concluded:

“Kaspersky Password Manager used a complex method to generate its passwords. This method was aimed at creating hard-to-crack passwords for standard password hackers. However, such a method reduces the strength of the generated passwords compared to dedicated tools. We have shown how to generate strong passwords using KeePass as an example: simple methods like sweepstakes are safe, as soon as you get rid of "modulus bias" while looking at a letter in a given character range.

“We also analyzed Kaspersky's PRNG and showed that it was very weak. Its internal structure, a Mersenne tornado from the Boost library, is not suitable for generating cryptographic material. But the biggest flaw is that this PRNG was seeded with the current time, in seconds. This means that each password generated by vulnerable versions of KPM can be brutally tampered with in a matter of minutes (or a second if you know roughly the generation time).

Kaspersky was informed of the vulnerability in June 2019 and released the patch version in October of the same year. In October 2020, users were informed that some passwords would have to be regenerated, and Kaspersky published its security advisory on April 27, 2021:

“All public versions of Kaspersky Password Manager responsible for this problem now have a new one. Password generation logic and password update alert for cases where a generated password is probably not strong enough ”, says the security company

Source: https://donjon.ledger.com


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   luix said
    ago 3 years

    Passwords are like padlocks: there is not one 100% secure, but the more complex it is, the greater the time and effort required.

    Reply to luix
  2.   ArtEze said
    ago 3 years

    Pretty incredible, but whoever doesn't have access to her computer can't even get to the teacher. Nowadays, everyone has their own computer, unless someone's friend goes to their house and by chance they find that they have that program installed.

    They were lucky enough to have the source code of the program to be able to understand how they were generated, if it had been a binary, it must first be decompiled, which is difficult, not many understand bit language, or directly by brute force without understanding how it works.

    Reply to ArtEze