- #KASPERSKY PASSWORD MANAGER LINUX HOW TO#
- #KASPERSKY PASSWORD MANAGER LINUX GENERATOR#
- #KASPERSKY PASSWORD MANAGER LINUX UPDATE#
So what is the takeaway from this? In short, if you are using Kaspersky Password Manager, you need to make sure that it is completely up-to-date to ensure that your passwords are not going to be crackable. The lack of randomness created by KPM's solution, along with the fact that if the creation time of an account is known, an attack can be made that much quicker, highlights the fact that even random password generators can't be relied upon to keep malicious actors away. Super computers are able to go through billions of attempts per second to brute force a password.
#KASPERSKY PASSWORD MANAGER LINUX GENERATOR#
Mike Newman, CEO of My1Login, responded to the news by saying: "The main goal of a random password generator is to create passwords that are virtually impossible to crack, so to hear Kaspersky's random password generator could be brute forced due to design blunders is alarming". The discovery has shocked the security community.
#KASPERSKY PASSWORD MANAGER LINUX UPDATE#
Hi Matthew, here's an update regarding the issue. Kaspersky points out that the issue was addressed last year: Incidentally, writing this PoC allowed us to spot an out of bounds read during the computation of the frequency of appearance of password chars, which makes passwords a bit stronger that they should have been. It can be used to verify the flaw is indeed present in Windows versions of Kaspersky Password Manager < 9.0.2 Patch F. That means every password generated by vulnerable versions of KPM can be bruteforced in minutes (or in a second if you know approximately the generation time).įinally, we provided a proof of concept that details the full generation method used by KPM. But the major flaw is that this PRNG was seeded with the current time, in seconds.
Its internal structure, a Mersenne twister taken from the Boost library, is not suited to generate cryptographic material. We also studied the Kaspersky's PRNG, and showed it was very weak.
#KASPERSKY PASSWORD MANAGER LINUX HOW TO#
We showed how to generate secure passwords taking KeePass as an example: simple methods like random draws are secure, as soon as you get rid of the "modulo bias" while peeking a letter from a given range of chars. However, such method lowers the strength of the generated passwords against dedicated tools. This method aimed to create passwords hard to break for standard password crackers. Kaspersky Password Manager used a complex method to generate its passwords. While the caveat that "an attacker would need to know some additional information (for example, time of password generation)" is valid, the fact remains that Kaspersky passwords were significantly less secure than people were led to believe. The issue was assigned CVE-2020-27020, where the old version of the password manager is described as being "not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases". This meant that "all the passwords it created could be bruteforced in seconds". Most significant is the fact that the PRNG used a single source of entropy - the current time.
0 kommentar(er)
