Users are at risk due to Kaspersky Password Manager; Act now

Update: 2021-07-08 11:19 IST

Kaspersky Password Manager

A recent report has revealed that Kaspersky Password Manager has been using an insecure method of generating passwords for many years that hackers could brutally apply in just a few minutes. Some of the people who used your services now need to change their passwords.

Ideally, passwords should be easy for a computer to remember and hard to guess, but in practice, most people use passwords that are hard to remember and easy for computers to guess. Therefore, experts recommend the use of password management software such as LastPass, 1Password, Bitwarden, and Kaspersky Password Manager, which are solutions that can generate and store strong passwords so that users only have to remember a strong password to stay safe on the web. Those who used Kaspersky Password Manager may have been put at risk. By the way, Kaspersky finally solved the problem.

Kaspersky Password Manager Failure

A researcher who responsibly disclosed the flaw to Kaspersky to allow them to fix the problem explained that there were two flaws in the password management solution, as reported by ZDNet. Password managers use a random number generator to create strong passwords, but Kaspersky was reported to be using system time as a "seed".

"It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," said Jean-Baptiste Bédrune, head of security at Ledger Donjon. "The consequences are obviously bad: every password could be bruteforced. For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given data-charset. Bruteforcing them takes a few minutes." he added.

Bédrune also discovered a second flaw that the company likely created to defeat dictionary attacks - a technique used by hackers who systematically enter each word in a dictionary to find a password, according to the report. Kaspersky would use unusual letter groupings like zr or qz to create passwords. The obvious disadvantage of using this system is that a hacker who knows that his target is using Kaspersky Password Manager could enter the system much faster by trying these letter combinations.

What do you need to do now?

If you created an account with Kaspersky Password Manager after October 2019, you must be protected from the security flaw that allowed the generation of less secure passwords. If you have been a user for a longer time, some of your passwords generated during or before 2019 may need to be regenerated. The service should notify you of these passwords, which should make the process easier.

Tags:    

Similar News