Zimbalwa izinsuku ezedlule ihlazo elikhulu lamiswa enetheni yincwadi eyenziwe nguDonjon (ukubonisana ngokuphepha) lapho ngokuyisisekelo uxoxe ngezinkinga ezahlukahlukene zokuphepha kwe- "Kaspersky Password Manager" ikakhulukazi ku-generator ye-password yayo, njengoba kukhombisile ukuthi wonke amaphasiwedi awenzile angaqhekeka ngokuhlaselwa ngamandla.
Futhi kungukuthi ukubonisana kwezokuphepha uDonjon wakuthola lokho Phakathi kukaMashi 2019 no-Okthoba 2020, iKaspersky Password Manager amaphasiwedi akhiqiziwe angaqhekeka ngemizuzwana. Ithuluzi lisebenzise i-mbumbulu-okungahleliwe kwenombolo ye-generator eyayingakulungeli ngandlela-thile izinhloso ze-cryptographic.
Abaphenyi bathola ukuthi i-password generator ibinezinkinga eziningana futhi okunye okubaluleke kakhulu ukuthi i-PRNG isebenzise umthombo owodwa kuphela we-entropy Ngamafuphi, bekuwukuthi amaphasiwedi akhiqizwayo ayesengozini futhi engavikelekile nakancane.
“Eminyakeni emibili edlule, sibuyekeze iKaspersky Password Manager (KPM), imenenja yephasiwedi eyenziwe nguKaspersky. I-Kaspersky Password Manager ingumkhiqizo ogcina ngokuphepha amaphasiwedi nemibhalo endaweni ephephile futhi evikelwe nge-password. Lesi sefu sivikelwe yiphasiwedi eyinhloko. Ngakho-ke, njengabanye abaphathi be-password, abasebenzisi badinga ukukhumbula iphasiwedi eyodwa ukusebenzisa nokuphatha wonke amaphasiwedi abo. Umkhiqizo uyatholakala ngezinhlelo ezahlukahlukene zokusebenza (iWindows, i-MacOS, i-Android, i-iOS, iWebhu…) Imininingwane ebethelwe ingavunyelaniswa ngokuzenzakalela phakathi kwawo wonke amadivayisi wakho, ihlale ivikelwe yi-master password yakho.
“Isici esiyinhloko seKPM ukuphathwa kwephasiwedi. Iphuzu elisemqoka ngabaphathi be-password ukuthi, ngokungafani nabantu, lawa mathuluzi alungile ekukhiqizeni amaphasiwedi aqinile, angahleliwe. Ukukhiqiza amaphasiwedi aqinile, iMenenja yephasiwedi yeKaspersky kumele ithembele kumshini wokukhiqiza amaphasiwedi aqinile ”.
Enkingeni unikeze inkomba i-CVE-2020-27020, lapho i-caveat ukuthi "umhlaseli azodinga ukwazi imininingwane eyengeziwe (ngokwesibonelo, isikhathi lapho iphasiwedi yenziwa khona" isebenza, iqiniso ukuthi amaphasiwedi eKaspersky ngokusobala ayengavikelekile kangako kunalokho abantu ababekucabanga.
"I-generator ye-password efakwe kwi-Kaspersky Password Manager ihlangabezane nezinkinga eziningana," kuchaza ithimba labacwaningi baseDungeon eposini ngoLwesibili. “Okubaluleke kakhulu ukuthi ubesebenzisa i-PRNG engafanele ngezinhloso zokubhala. Umthombo wayo kuphela we-entropy kwakuyisikhathi samanje. Noma iyiphi iphasiwedi oyakhayo ingahle iphulwe ngesihluku ngemizuzwana. "
UDungeon uveza ukuthi iphutha elikhulu likaKaspersky ukusebenzisa iwashi lohlelo ngemizuzwana njengembewu ku-generator mbumbulu engahleliwe yenombolo.
"Lokhu kusho ukuthi sonke isikhathi seKaspersky Password Manager emhlabeni sizokhiqiza igama elifanayo ngomzuzwana," kusho uJean-Baptiste Bédrune. Ngokusho kwakhe, iphasiwedi ngayinye ingaba isisulu sokuhlaselwa ngamandla ”. “Isibonelo, kunemizuzwana engama-315,619,200 phakathi kuka-2010 no-2021, ngakho-ke i-KPM ingakhiqiza amaphasiwedi afinyelela kuma-315,619,200 esethi yezinhlamvu ezinikeziwe. Ukuhlaselwa ngamandla kwabantu kulolu hlu kuthatha imizuzu embalwa kuphela. "
Abaphenyi abavela Isiboshwa siphethe:
“IKaspersky Password Manager isebenzise indlela eyinkimbinkimbi ukwenza amaphasiwedi ayo. Le ndlela yayihlose ukudala amaphasiwedi anzima ukuqhekeka kubaduni be-password abajwayelekile. Kodwa-ke, indlela enjalo inciphisa amandla wamaphasiwedi akhiqiziwe uma kuqhathaniswa namathuluzi azinikele. Sikhombisile ukuthi ungawakha kanjani amaphasiwedi aqinile usebenzisa i-KeePass njengesibonelo: izindlela ezilula ezinjengama-sweepstake ziphephile, ngokushesha nje lapho ususa i- "modulus bias" ngenkathi ubheka incwadi ebangeni lohlamvu olunikeziwe.
“Siphinde sahlaziya ne-PRNG kaKaspersky sakhombisa ukuthi ibuthaka kakhulu. Isakhiwo sayo sangaphakathi, isiphepho iMersenne esivela emtatsheni wezincwadi we-Boost, asikufanelekeli ukwenziwa kwezinto ezibonakalayo. Kepha iphutha elikhulu kakhulu ukuthi le PRNG ihlwanyelwe ngesikhathi samanje, ngemizuzwana. Lokhu kusho ukuthi wonke amaphasiwedi akhiqizwa yizinhlobo ezisengozini ze-KPM angaphazanyiswa kabuhlungu ngemizuzu ethile (noma umzuzwana uma wazi cishe isikhathi sesizukulwane).
UKaspersky waziswa ngobungozi ngoJuni 2019 futhi wakhipha i-patch version ngo-Okthoba wonyaka ofanayo. Ngo-Okthoba 2020, abasebenzisi baziswa ukuthi amanye amaphasiwedi kuzofanele avuselelwe, kanti uKaspersky washicilela izeluleko zakhe zokuphepha ngo-Ephreli 27, 2021:
“Zonke izinhlobo zomphakathi ze-Kaspersky Password Manager ezibhekele le nkinga manje sezinolunye olusha. I-password yokukhiqiza i-password kanye ne-password update emacaleni lapho iphasiwedi ekhiqiziwe kungenzeka ingaqinile ngokwanele ”, kusho inkampani yonogada
Umthombo: https://donjon.ledger.com