- #Kaspersky password manager flaw bruteforced passwords generator#
- #Kaspersky password manager flaw bruteforced passwords code#
Kaspersky has acknowledged the problems, and said that new logic is now applied. The problem is, if an attacker knows you use KPM, they can instead mount a brute-force attack with these combinations, which can actually take less time than a standard dictionary attack. To defeat dictionary attacks, KPM generated passwords that use letter groupings not found in words – like qz or zr.
#Kaspersky password manager flaw bruteforced passwords code#
(Ironically, a bug in the code ended up introducing an additional variable that mitigated the problem in some cases.)Ī second flaw was less likely to be an issue in practice, as it only helped an attacker who knew you used KPM. Bruteforcing them takes a few minutes.”īédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords. “For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. “The consequences are obviously bad: every password could be bruteforced,” he said. “It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Jean-Baptiste Bédrune said.īecause the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered. Bruteforcing them takes a few minutes,” states the researcher.The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. “The consequences are obviously bad: every password could be bruteforced. Kaspersky Password Manager handles basic password tasks and includes encrypted online image storage, but it lacks password sharing and inheritance features. The issue could be easily discovered, however, because the program has an animation during password creation, which takes longer than the mentioned second, it was not. Simply put, “it means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Bédrune said.
#Kaspersky password manager flaw bruteforced passwords generator#
Registered as CVE-2020-27020, the vulnerability states that “the password generator feature in KPM was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords if they knew some additional information,” more specifically – the time of its creation. The main problem arose when Ledger examined KPM’s PRNG. However, by itself this weakness is not critical, and research concluded that it would resist against the standard tools if the password is long enough – a length of the password is a feature that KPM allows users to change.
“If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password,” researcher states. The obvious downside of this approach is the fact that the application becomes predictable, and the well-intended bias can be exploited. “Their password cracking method relies on the fact that there are probably ‘e’ and ‘a’ in a password created by a human than ‘x’ or ‘j’, or that the bigrams ‘th’ and ‘he’ will appear much more often than ‘qx’ or ‘zr’,” Bédrune explains. In order to do that they used a technique where letters and combinations of letters that are not often used in human-created passwords appear more frequently. This method aimed to create passwords hard to break for standard password crackers.” “Kaspersky Password Manager used a complex method to generate its passwords. One of the first potential weaknesses of KPM that Bédrune mentions in his article is the subversion of an algorithmic bias that was probably created to trick common password cracking tools.
0 kommentar(er)
