Passwords Susceptible to Brute Force Attacks Created by Kaspersky Password Generator Due to a Vulnerability

Security researchers have identified a vulnerability in the random password generator of the Kaspersky Password Manager (KPM). The generated passwords were prone to brute force attacks.

Password managers usually have a password generator to give users the ability to create distinct, random, difficult passwords for their accounts. In the latest blog article, researchers at security agency Donjon claimed the pseudo-random number generator (PRNG) employed by the KPM solution wasn’t random enough to generate strong passwords. Because of this, any passwords created can be brute-forced in a few minutes, and in seconds when the estimated time to create the account password is identified.

Password generation in KPG requires indicating a password dependent on the policy established by the end-user. Those policies are established to determine the password length and the characters that should be incorporated (numbers, upper/lower case letters, special characters). Although a number of issues were discovered with the tool, the primary issue was the PRNG’s unacceptable use for cryptographic requirements, because the one source of entropy was the present time in seconds.

Because the present system time was the arbitrary seed value, the generated passwords by the password manager would be identical at a given time for all end-users around the world.

The researchers explained that the effects are clearly negative: each and every password can be brute-forced. For instance, there are 315619200 seconds from 2010 and 2021, therefore KPM can create a maximum of 315619200 passwords for a particular [character set]. It’s possible to brute-force the passwords in a couple of minutes.

It is pretty common for websites and forums to show the time the accounts were created. By knowing the date of creating an account, it’s possible for an attacker to brute-force the account password using a small collection of passwords (~100) and to get account access.

The researchers reported the vulnerability to Kaspersky in June 2019. Kaspersky issued updates from October 2019 to December 2019, however they were unable to completely resolve the problem. The vulnerability was monitored as CVE-2020-27020 and was fixed in KPM 9.0.2 Patch M last October 13, 2020. After implementing the update, users received notifications informing them of the need to regenerate weak passwords. Kaspersky published an advisory about the vulnerability on April 27, 2021.

Any end-user of KPM that hasn’t used the updates must do so immediately and observe the recommendations of the solution to alter any weak passwords. Kaspersky mentioned that although passwords can be found by an attacker, this is improbable since the attacker needs to have details of the user’s account, the precise time of generating a password, and of using KPM by that person.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone