The Password Manager was generating weak passwords putting you at risk; so, if you have been using it, you might want to change some of your passwords.
A recent report has revealed that Kaspersky Password Manager was using an insecure method of generating passwords for many years that could be brute-forced by hackers in just a few minutes. Some of the people who were using its services now need to change their passwords.
Passwords should ideally be easy to remember while being difficult for a computer to guess, but in practice, most people use passwords that are difficult to remember and easy for computers to guess. Therefore, experts recommend the use of password management software like LastPass, 1Password, Bitwarden, and Kaspersky Password Manager, which are solutions that can generate and store secure passwords so users only have to remember one secure password to stay safe on the web. Those who used the Kaspersky Password Manager may have been put at risk. By the way, Kaspersky has finally, resolved the issue.
What was the Kaspersky Password Manager flaw?
A researcher who responsibly disclosed the flaw to Kaspersky to allow them to fix the issue explained that there were two flaws in the password management solution, as ZDNet reports. Password managers use a random number generator to create secure passwords, but Kaspersky was reportedly using the system time as a ‘seed’.
“It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” said Jean-Baptiste Bédrune, head of security at Ledger Donjon. “The consequences are obviously bad: every password could be brute-forced. For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.” he added.
Bédrune also discovered a second flaw that the company probably created to defeat dictionary attacks – a technique used by hackers who systematically enter every word in a dictionary in order to find a password, according to the report. Kaspersky would use uncommon letter groupings like zr or qz to make passwords. The obvious downside to using this system was that a hacker who knows their target is using Kaspersky Password manager could break into the system much faster by trying these letter combinations.
What you need to do now
If you created an account with Kaspersky Password Manager after October 2019, you should be protected from the security flaw that enabled the generation of less secure passwords. If you’ve been a user for longer, some of your passwords generated during or before 2019 may need to be regenerated. The service should notify you about these passwords, which should make the process easier.
Here’s what Kaspersky had to say
The researcher informed Kaspersky of the issue in June 2019 and the company worked on a fix that was issued four months later in October. A year later, the company notified its users that they would need to change some passwords. The company finally released an advisory in April 2021, detailing which versions of its software were impacted by the issue. “All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough,” Kaspersky said in the advisory.