Kaspersky Password Manager generates passwords that can be 'cracked in seconds'

A now-patched vulnerability means specialised tools can game Kaspersky's method for creating passwords

Kaspersky Password Manager (KPM) is embedded with several problems that mean the passwords it generates can be cracked “in seconds”.

Like many password managers, KPM securely stores passwords and documents in an encrypted vault that’s protected with a master password. Users can also generate random, strong passwords for the apps and services they use, which purport to be more secure than human-generated passwords. 

Researchers, however, found the mechanism Kaspersky’s password manager uses to generate these random passwords is flawed. The method is also exploitable to the extent these passwords can be cracked using brute force techniques in seconds, according to researchers with Ledger Donjon.

Kaspersky has assigned this vulnerability the tag CVE-2020-27020, and has published a security advisory regarding this flaw. The issue has now been patched, but several versions of KPM are affected including version 9.0.2 Patch F and earlier on Windows, version 9.1.14.872 and earlier on Android, and version 9.2.14.31 and earlier on iOS. 

The built-in password generator creates passwords from a given policy, with users able to set policy settings to change password length and include uppercase letters, lowercase letters, digits and a custom set of special characters. By default, KPM generates 12-character passwords with an extended chart set.

The generation process is a complex method but effectively means that letters such as q, z and x are more likely to appear in passwords generated by KPM than the average password manager. Once any given letter is generated, it heavily skews the probability of other letters appearing in the same password.

The method has been implemented to trick standard password cracking tools, according to Ledger Donjon researcher Jean-Baptiste Bédrune, which try first break probable passwords, such as those generated by humans. 

Passwords generated by KPM will be far in the list of candidate passwords tested by standard cracking tools, so attackers will likely be waiting a long time before they encounter a KPM password when attempting to crack a list of passwords.

If, however, an attacker knows the password has been generated by KPM, they can adapt their tool around the model KPM uses to generate the password. As they’re biased to some extent, this can be abused to generate the most probable passwords generated by this tool. 

Related Resource

Owning your own access security

The key to building strong cloud security and avoiding the risk of vendor lock-in

Whitepaper front coverDownload now

“We can conclude that the generation algorithm in itself is not that bad: it will resist against standard tools,” Bédrune said. “However, if an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool.”

The only source of entropy the password generator used, too, was time, and there was a one-second animation between generated passwords. This means that if every user generated a password at the same time, they would see the same generated password. 

Bédrune suggests the result is that every password could be brute-forced, especially if hackers know the creation date of an account. 

“Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool,” a Kaspersky spokesperson told IT Pro

“This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings.

“The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing. We recommend that our users install the latest updates. To make the process of receiving updates easier, our home products support automatic updates.”

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

25 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021