Kaspersky Password Manager's passwords could be easily brute-forced

Issues with password generation tool revealed: Kaspersky knew about easily cracked passwords back in 2019

Passwords made with the Kaspersky tool can be brute-forced.

Kaspersky Password Manager that could generate random passwords came to be random in itself. Apparently, the Kaspersky program didn't use additional sources of entropy other than the current time. The program used a PRNG not suited for cryptographic purposes and all the passwords it created could be brute-forced in just a few seconds.

It seems that Kaspersky Password Manager used more of a complex method to generate its' passwords and the result came to be quite negative. This method aimed to create passwords hard to break for standard password hackers but it does lower the strength of the generated passwords against dedicated tools^[1].

Even though Kaspersky was informed about the problem back in June 2019 and even released the fixed version, the company published a new security advisory only on 27 April 2021. It was admitted that previously used password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases^[2]. The company states that as of right now, security issues have been fixed.

An attacker would have to know the time of password generation

The safety system used by Kaspersky seemed to overlook basic threats and focus mainly on huge issues. A hacker would have a need to know additional information usually, the time when the password was generated in order to crack it.

The company advised to change or regenerate all passwords created before October 2019 but assured users that all of the public versions of Kaspersky Password Manager that were liable to this issue, now have a new system of password generation.

Right now, the password manager will generate identical passwords at any given time anywhere in the world. The program's interface includes a one-second animation of rapidly shifting random characters that obscure the moment the actual password gets generated. This helps to redirect hackers' attention from the problem that still exists^[3].

Kaspersky is a Russian, Moscow-based cybersecurity and anti-virus provider. The company develops and distributes information security software solutions. Kaspersky offers anti-malware, cybersecurity intelligence software, and threat prevention products to protect information from viruses, spyware, ransomware, phishing, hackers, and spam^[4].

In certain cases, generated passwords could cause security risks

Random password generation tools are quite common, and in certain cases, do offer convenience and security. Usually, password managers use a so-called pseudo-random algorithm that starts with a number called a seed.

The seed is processed and gets a new number with no traceable connection to the old, and the new number becomes the next seed. The original seed never turns up again until every other number has come up^[5].

For simple everyday use, this is quite safe, however, for corporate system security, threats could be enormous. We see in the case of Kaspersky, that a skilled hacker could determine which pseudo-random algorithm is being used due to certain information, like the time when the password was created.

Given that information and the seed, the hacker could conceivably replicate the sequence of random numbers. Good thing is, that home computer usually aren't targets of such attacks so the threat remains mainly to the global companies and state-wise cybersecurity.