Users of Kaspersky Password Manager (KPM) received an alert last year informing them they needed to upgrade their weaker passwords.
Kaspersky Lab, released an upgrade to KPM in March 2019, saying that the application could detect weak passwords and generate secure and stronger replacements. Three months later, a team from security consultancy Donjon discovered that KPM failed miserably at both tasks, as the software relied on a pseudo-random number generator (PRNG) that was insufficiently random to generate strong passwords.
KPM suggested passwords that were easy to crack from that time till the last few months of 2020, without flagging the weak passwords for users.
The Donjon research team explained in a blog post on Tuesday, “The password generator included in Kaspersky Password Manager had several problems,”
“The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds.”
Donjon argues that using the current system time as the random seed value ensures that KPM will generate identical passwords wherever in the world at any given time. However, KPM’s interface contains a one-second animation of rapidly shifting random characters that hides the actual password generation moment. This made it more difficult to identify the issue.
Despite this, the lack of randomness means that for any given password character set, the number of possible passwords created over time is limited enough that it can be brute-forced in a matter of few minutes. And, according to Donjon, if an account’s creation time is known – something that is routinely stated in online forums – the range of possibilities becomes smaller dramatically, reducing the time necessary for bruteforce attacks to a matter of seconds.
The Donjon team wrote “The consequences are obviously bad: every password could be bruteforced,”
“For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.”
Between October and December 2019, a series of updates were rolled out to the web, Windows, Android, and iOS because the initial Windows patch didn’t work properly. Kaspersky published KPM 9.0.2 Patch M in October 2020, which included a notification to users that certain weak passwords needed to be regenerated.
This issue of vulnerability was assigned CVE-2020-27020, and Kaspersky issued an advisory in April 2021.