Kaspersky Password Manager's random password generator was about as random as your wall clock

Could be brute-forced due to design blunders, according to infosec outfit

Last year, Kaspersky Password Manager (KPM) users got an alert telling them to update their weaker passwords. Now we've found out why that happened.

In March 2019, security biz Kaspersky Lab shipped an update to KPM, promising that the application could identify weak passwords and generate strong replacements. Three months later, a team from security consultancy Donjon found that KPM didn't manage either task particularly well – the software used a pseudo-random number generator (PRNG) that was insufficiently random to create strong passwords.

From that time until the last few months of 2020, KPM was suggesting passwords that could be easily cracked, without flagging the weak passwords for users.

"The password generator included in Kaspersky Password Manager had several problems," the Donjon research team explained in a blog post on Tuesday.

"The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds."

Using the current system time as the random seed value, Donjon explains, means that KPM will generate identical passwords at any given time anywhere in the world. But KPM's interface includes a one-second animation of rapidly shifting random characters that obscures the moment the actual password gets generated. This made the problem harder to spot.

Nonetheless, the lack of randomness meant that for any given password character set, the possible passwords created over time are limited enough they can be brute-forced in a few minutes. And if the creation time of an account is known – something commonly displayed in online forums, according to Donjon – that range of possibilities becomes much smaller and reduces the time required for bruteforce attacks to a matter of seconds.

"The consequences are obviously bad: every password could be bruteforced," the Donjon team wrote. "For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes."

A series of fixes – because the initial Windows patch didn't work properly – were rolled out to the web, Windows, Android, and iOS between October and December 2019. And in October 2020, Kaspersky released KPM 9.0.2 Patch M, which included a notification to users that certain weak passwords need to be regenerated.

The issue was assigned CVE-2020-27020 and Kaspersky published an advisory in April, 2021.

"Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool," a company spokesperson said in an email to The Register.

"This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings."

The company's spokesperson advised that all users install the applicable updates. ®

Send us news

Google says Android runs better when covered in Rust

Banishing memory safety bugs cuts critical vulnerabilities

Block Fi seeks bankruptcy protection as 'shocking' FTX contagion spreads

Crypto lending biz wants its money back "as promptly as practicable"

FAA wants pilots to be less dependent on computer autopilots

US aviation advisory addresses concerns raised follow 2013 Asiana Airlines crash

Swiss bankers warn: Three quarters of retail Bitcoin investors are in the red

Little fish lured into the market help whales cash out

Software company wins $154k for US Navy's licensing breach

Court lands on less than the millions asked for after sailors made copies of 3D modeling suite 'hundreds of thousands' of times

FBI warns about Cuba, no, not that one — the ransomware gang

Critical infrastructure attacks ramping up

Nvidia patches 29 GPU driver bugs that could lead to code execution, device takeover

Take a break from the gaming and fix these now

Google warns of commercial Heliconia spyware hitting Chrome, Firefox, Microsoft Defender

Meanwhile NSO faces new lawsuit over Pegasus flying onto journalists' phones

Criminals use trending TikTok challenge to make data-stealing malware invisible

PSA: Don't download unknown apps even if they promise naked people

Open source community split over offer of 'corporate' welfare for critical dev tools

Linux Foundation presents IT and help to key volunteers – and some wonder if this is a deal with the Devil

FAA asks for vendor feedback on $10b tech contract

But keen to avoid any mf bespoke software on the mf planes (and other hardware)

Rackspace rocked by ‘security incident’ that has taken out hosted Exchange services

Warns recovery could take several days and pledges better support after customer complaints