Kaspersky’s Password Manager created passwords who love trying rightly guessed, explaining researchers who have looked at the procedures used in more detail. Affected were Kaspersky Password Manager for all platforms, ie: Windows, Android and iOS. Kaspersky has eliminated the problem at the end of 2019 so that all current versions create secure passwords. But who has already used a password manager of Kaspersky in 2019, used a weak password under a year over a year. Only now do the details of this failure come to light.
Not really random
One of the most important advantages of a password manager is that they simply make it the user, for all services different but still good passwords that normally could not remember a human. To do this, suggest the user with some complex and apparently randomly as possible to the user when creating a new password: ah, hai; h6ielo5e or aenupei / 7yOh.
In the background, this password creates a so-called pseudo-random number generator (PRNG). That "Pseudo" means that these numbers are not really randomly, but are calculated. To do this, gives the PRNG an initial value and spits a series of numbers that do not have a recognizable relationship. But with the same initial value always gives the same sequence of numbers. So you have to use a truly random value that does not guess. Otherwise an attacker could simply calculate the proposed password.
And that has kaspersky kaspersky. They simply use the current time in seconds. This not only means that each of these password managers is setting the exact same password at the same time. It also reduces the number of possible passwords so strong that you could easily carry out all.
Thus, the researchers expect ledgers who have revealed that between 2010 and 2021 have passed a total of 315619200 seconds. That sounds like a lot, but in your example scenario you could try all in a few minutes. Anyone who can undermine the time – for example, using the displayed Creation date of an account – certainly fewer tries.
The researchers demonstrated the problem by completely replicating the procedure of password position. They also found that the PRNG employed – a so-called Mersenne Twister – for this task was not particularly well suited and immediately taught the manufacturer Kaspersky over their findings.
The long way to the secure password
However, the elimination of the problem was not a quick thing. After all, the safety of impudent accounts hung on these weak passwords. The researchers informed Kaspersky on these problems already in June 2019. The manufacturer created updates of the affected versions over the following months with an improved password proposal function and distributed them to his customers.
But it remained the problem of passwords already created, which were easy to guess in a publication of the problem. Only in October 2020, according to Timeline, Kaspersky turned out an update in the Ledger blog, which compensates for a change of the weak password and documented the problem for the first time in April 2021 with a vagen security advisory to CVE-2020-27020. The publication now made by the researchers of Ledger explains the real scope of the problem for the first time.
This security problem throws a bad light on the actually good Beleumunde Security Company Kaspersky. Not only did you have shocked at a critical security component like the password manager at a level, for that simply missing the words. That the randomness of random numbers of a PRNG depends on its initialization should any knowledge that uses it in a security context. Kaspersky has any form of quality arance? And if so, what exactly does the?
Even worse, Kaspersky – at least if you believe Ledgers Timeline – love for a year to exchanges the coarsely low passwords of their customers. This means that anyone who has made something of Ledger’s research or randomly threw a closer look at the passwords produced, which was able to capture secured accessible with little effort. Granted: The problem of creating something out of the world is not trivial. But the procedure marked here is simply unacceptable.
Addendum: This association is partly based on the timeline of the events published by Ledger. Some checks seem to be confirmed. So Kaspersky published a Security Advisory in April 2021 in which she has the Android version 126.96.36.1992 Attached as fixed. This seemed independent sources already in October 2019, which was deployed Ledger’s presentation. I asked Kaspersky to comment on this situation. An answer to this request is still out.
: Kaspersky has confirmed us against the quoted information from Ledger: among other things, they explained: "From the version Kaspersky Password Manager 9.0.2 Patch M (Windows, published in October 2020), Kaspersky Password Manager for iOS 188.8.131.52 (published in February 2021), Kaspersky Password Manager for Android – 184.108.40.206 (published in Marz 2021) there is a function that the users warns that some of their passwords are not strong – including those generated by the generator."