Are you sure Kaspersky’s Password Manager works?
For years the tool would create keywords easy to be attacked by malicious people
Umberto RAPETTO Luglio 13, 2021
KPM, the Kaspersky Password Manager, is a management software that allows users to store keywords and confidential documents in a sort of super-secure safe.
It is a sort of “guardian angel” to whom the user entrusts his secrets and even asks for help to generate keywords difficult to guess so as to ensure the impenetrability of his device (computer, tablet or smartphone).
Characteristics of KPM
This product developed by the Russian cybersecurity company Kaspersky – according to Jean-Baptiste Bédrune, head of the Security Research Division of French competitor Ledger Donjon – leads to the creation of cryptographically weak passwords and therefore easy to be forced even in a heartbeat.
The KPM solution is a kind of matryoshka that allows you to access only those who know the main alphanumeric combination, preserving the list of keywords (and the applications they are combined with) and the collection of information sensitive to the risk of becoming prey to prying eyes. It is a solution available on the market for several operating systems and therefore is able to please those who use Windows, macos, Android, iOS and so on. Its main key is able to access a dashboard that manages and synchronizes all the passwords used on any “contraption” available.
Kaspersky Password Manager uses a particularly complex mode to “invent” the passwords to suggest to those who use its service, method and the result should ensure a certain impermeability towards the “crackers” Traditional ones that automatically try to find the “combination”.
The system is based on password length and prediction of capital letters, lowercase letters, digits and a custom set of special characters. With these ingredients KPM – by default – generates 12 character keywords with an extended character set.
The fragility of KPM
Despite these premises, serious vulnerability problems (classified by the technicians as CVE-2020-27020), all because of a pseudorandom number generator (PRNG the acronym for the insiders) a little “weak”.
Without getting into thorny and indigest treats for those who do not eat bread and bits, it is important to know that Kaspersky Password Manager in the world will generate the same identical password in a given second. The “pain in the ass” Jean-Baptiste Bédrune states that, given the number of seconds between 2010 and 2021, KPM could generate a maximum of 315 million and 619,200 different keywords or a number of combinations particularly handy for malicious people with adequate computer resources with high computing capacity.
A brute force attack (or “bruteforcing” as those who like English-speaking expressions prefer to label it), based on the execution of all possible attempts, would lead to crack the “lock” in a matter of seconds if the bandit knows the keyword creation time.
Problem old and now solvable
The story, to be honest, is not new because the experts of Ledger Donjon took care to report to Kaspersky this criticality as early as 2019, but a real strengthening of KPM would have happened only last spring.
Kaspersky, for his part, minimizes the issue by saying that it is quite unlikely that a criminal is in possession of the user’s account information and the exact time of password creation.
Given that the software in question has been recently revised, it is advisable that those who use it to check the version of the application in use and, if it is not the most recent one, hurry to install the latest updates.