If you are using Kaspersky Password Manager (KPM) for creating passwords, you might want to consider regenerating those you created before October 2019. According to Donjon, a security research team at Ledger passwords generated by KPM are so weak that it is easy to brute-force them.
Researchers claim that they started analyzing Kaspersky’s password manager two years ago and identified that any program could guess the tool’s generated passwords within seconds.
KPM’s Password Generation Method
Researchers wrote that KPM’s password generation method is somewhat complex as it involves random floats followed by a multiplication step to enhance entropy and dictionary infrequency-based character picking.
Furthermore, it uses the system time as its seed, so if a hacker correlates it with the account creation, they can narrow down the results to around a hundred guesses, and in vague cases, this number wouldn’t still be higher than a thousand.
“This method aimed to create passwords hard to break for standard password crackers. However, such method lowers the strength of the generated passwords against dedicated tools,” wrote head of security research at Ledger Donjon, Jean-Baptiste Bédrune.
KPM uses a technique to make those letters that aren’t often used appear more frequently to trick password cracking tools. But this method relies heavily on the ‘a’ and ‘e’ in a password that a human creates than ‘x’ or ‘j’ or ‘th’ of the bigrams. So, in KPM’s passwords, ‘he’ appears more often than ‘qx’ or ‘zr.’
The Flip Side
Bédrune explained in the blog post that if an attacker can deduce that KPM creates the password, the password generator’s bias can work against it.
“If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool.”
Since KPM uses the system time in seconds as the seed is a Mersenne Twister pseudorandom number generator, every instance of the software worldwide will create the same password at a given second because the tool’s animation takes longer than a second when a password is generated.
“The consequences are obviously bad: every password could be brute-forced,” Bédrune stated in a blog post.
“For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes,” leaving KPM users vulnerable to brute-force attack of nearly 100 possible passwords.
This issue is identified in KPM versions released before 9.0.2 Patch F on Windows, 18.104.22.1682 on Android, or 22.214.171.124 on iOS. Kaspersky was notified about the vulnerability (CVE-2020-27020) back in June 2019, and a fix was released in October 2019. Kaspersky published a security advisory on 27 April 2021 explaining that:
“All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough.”