The company finally released an advisory in April 2021, detailing which versions of its software were impacted by the issue. A year later, the company notified its users that they would need to change some passwords. The researcher informed Kaspersky of the issue in June 2019 and the company worked on a fix that was issued four months later in October. The service should notify you about these passwords, which should make the process easier. If you've been a user for longer, some of your passwords generated during or before 2019 may need to be regenerated. If you created an account with Kaspersky Password Manager after October 2019, you should be protected from the security flaw that enabled the generation of less secure passwords. The obvious downside to using this system was that a hacker who knows their target is using Kaspersky Password manager could break into the system much faster by trying these letter combinations. Kaspersky would use uncommon letter groupings like zr or qz to make passwords. Bruteforcing them takes a few minutes." he added.Īlso read: Looking for a smartphone? Check Mobile Finder here.īédrune also discovered a second flaw that the company probably created to defeat dictionary attacks – a technique used by hackers who systematically enter every word in a dictionary in order to find a password, according to the report. For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. "The consequences are obviously bad: every password could be bruteforced. "It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," said Jean-Baptiste Bédrune, head of security at Ledger Donjon.
#Kaspersky password manager flaw bruteforced passwords generator#
Password managers use a random number generator to create secure passwords, but Kaspersky was reportedly using the system time as a ‘seed'.
What was the Kaspersky Password Manager flaw?Ī researcher who responsibly disclosed the flaw to Kaspersky to allow them to fix the issue explained that there were two flaws in the password management solution, as ZDNet reports.
0 kommentar(er)
