![]() ![]() “All public versions of Kaspersky Password Manager responsible for this problem now have a new one.The strength of a password is determined by its scheme. In October 2020, users were informed that some passwords would have to be regenerated, and Kaspersky published its security advisory on April 27, 2021: ![]() ![]() Kaspersky was informed of the vulnerability in June 2019 and released the patch version in October of the same year. This means that each password generated by vulnerable versions of KPM can be brutally tampered with in a matter of minutes (or a second if you know roughly the generation time). But the biggest flaw is that this PRNG was seeded with the current time, in seconds. Its internal structure, a Mersenne tornado from the Boost library, is not suitable for generating cryptographic material. “We also analyzed Kaspersky's PRNG and showed that it was very weak. We have shown how to generate strong passwords using KeePass as an example: simple methods like sweepstakes are safe, as soon as you get rid of "modulus bias" while looking at a letter in a given character range. However, such a method reduces the strength of the generated passwords compared to dedicated tools. This method was aimed at creating hard-to-crack passwords for standard password hackers. “Kaspersky Password Manager used a complex method to generate its passwords. A brute force attack on this list only takes a few minutes. “For example, there are 315,619,200 seconds between 20, so KPM could generate a maximum of 315,619,200 passwords for a given character set. According to him, every password could be the target of a brute force attack ”. "This means that every instance of Kaspersky Password Manager in the world will generate exactly the same password in a given second," says Jean-Baptiste Bédrune. "ĭungeon points out that Kaspersky's big mistake was using the system clock in seconds as a seed in a pseudo-random number generator. Any password you create could be brutally broken in seconds. Its only source of entropy was the present tense. “The most important thing is that he was using an inappropriate PRNG for cryptographic purposes. "The password generator included in Kaspersky Password Manager has encountered several problems," the Dungeon research team explained in a post on Tuesday. To the problem assigned the index CVE-2020-27020, where the caveat that "an attacker would need to know additional information (for example, the time the password was generated)" is valid, the fact is that Kaspersky passwords were clearly less secure than people thought. To generate strong passwords, Kaspersky Password Manager must rely on a mechanism for generating strong passwords ”. A key point with password managers is that, unlike humans, these tools are good at generating strong and random passwords. “The main feature of KPM is password management. The product is available for different operating systems (Windows, macOS, Android, iOS, Web…) Encrypted data can be automatically synchronized between all your devices, always protected by your master password. So like other password managers, users need to remember a single password to use and manage all of their passwords. This safe is protected by a master password. Kaspersky Password Manager is a product that safely stores passwords and documents in an encrypted and password-protected safe. “Two years ago, we reviewed Kaspersky Password Manager (KPM), a password manager developed by Kaspersky. Researchers discovered that the password generator it had several problems and one of the most important was that PRNG used only one entropy source In short, it was that the generated passwords were vulnerable and not at all secure. The tool used a pseudo-random number generator that was singularly unsuitable for cryptographic purposes. Few days ago a tremendous scandal was set up on the net by a publication made by Donjon (a security consultancy) in which basically discussed various security issues of "Kaspersky Password Manager" especially in its password generator, as it demonstrated that every password it generated could be cracked by a brute force attack.Īnd it is that the security consultancy Donjon he discovered that Between March 2019 and October 2020, Kaspersky Password Manager generated passwords that could be cracked in seconds. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |