Passwords were easy to guess
Password managers are supposed to ensure the maximum security of accounts with their actually randomly generated passwords. However, the security is not as maximum if the system behind it is easy to see through – as apparently with Kaspersky.
sDyjUgtgoykWPpuvYC4wZQDg, GwtpzmdYUNimuf2zaZLWqKVv, bTBfnYv7qDBnTznACPCaxxLF – all of these are passwords generated by a password manager. At first glance, these number-letter combinations look more than safe. They can only be noticed with an empire of donkey bridges or an island talent.
The Kaspersky password manager also spits out such passwords. However, it was relatively easy to guess when the process used to create the combinations became public. As has now been announced, Kaspersky recognized the problem as early as 2019 and eliminated it. However, anyone who used the manager before this period is probably still using an insecure password today. In addition to Windows, the versions for Android and iOS are also affected.
Contents
Random password not entirely random
The problem was quite simply a number generator that is responsible for generating the passwords. At Kaspersky, the combinations were created using a pseudo-random number generator, or PRNG for short. Based on an initial value, it calculates a series of numbers that appear completely incoherent. In fact, the sequence of numbers is always the same if the initial value is the same. If this initial value is known, potential attackers can simply calculate the password.
If you are wondering how hackers should get this value: The password manager always took the current time in seconds as the initial value. For example “5832014”. This means that every user who uses the password manager at 4:12:14 pm is shown the same password. This considerably reduces the number of potential passwords.
According to Ledger researcherswho discovered the problem, it is possible within a few minutes to try all the passwords that were created within a year. The researchers informed Kaspersky as early as June 2019. But it wasn’t until April 2021 that the problem appeared in one for the first time Security Advisory from Kaspersky on; the forced change of old passwords took place in October 2020. What remains is at least a year with insecure passwords.
