Kaspersky Password Manager generated weak passwords due to a bug

Last year, the developers of Kaspersky Password Manager (KPM) asked users to update their passwords to stronger ones due to a vulnerability. Now the specialists of Ledger Donjon (the information security division of the Ledger company, which develops crypto wallets), talked about why this happened, and what problems they discovered in KPM some time ago.

Experts remind that in March 2019, Kaspersky Lab released an update for KPM, promising that now the application will be able to identify weak passwords and generate more reliable replacements for them.

Three months later, the Ledger Donjon team found that KPM was not doing very well with this, as it used a pseudo-random number generator that did not produce enough random results to generate strong passwords. In particular, the characters in the passwords were generated and placed in a not entirely random way.

“The password generator in Kaspersky Password Manager had several problems. Most critical was that it used a pseudo-random number generator that was unusable for cryptographic purposes. The only source of entropy in it was the current system time, and all the passwords he created could be found in a matter of seconds”, — the experts say.

The fact is that KPM was created to generate 12-digit passwords by default, although it allowed users to personalize their passwords by changing settings, including password length, uppercase and lowercase letters, numbers, and special characters.

Researchers at Ledger Donjon say that by striving to create passwords that are as different as possible from passwords generated by the people themselves, the application has become predictable.

Using the system time as a random seed meant that KPM generated the same passwords if users in different parts of the world clicked on the create password button at the same time and did not change the default settings. At the same time, the KPM interface displayed an animation of rapidly changing random characters, which hid the actual moment of generating the password, and made it difficult to identify the problem.

The time-based passwords were very limited, the researchers said, and could be cracked in minutes. So, if the attacker knew the time of creating a specific account (which is not difficult at all to see on any forum), the range of probabilities was greatly reduced, as well as the time required for brute-force, which could take only a few seconds.

“The consequences [of using such a mechanism] were definitely bad: any password could be cracked. For example, between 2010 and 2021, 315619200 seconds have elapsed, so KPM can generate a maximum of 315619200 passwords for a given character set. It took only a few minutes to sort through them”, — says the Ledger Donjon report.

Between October and December 2019, the developers submitted a number of patches for KPM (since the original patch for Windows did not work correctly), and as a result, the problem was fixed on Windows, Android and iOS.

In October 2020, Kaspersky Lab released KPM 9.0.2 Patch M, notifying users to update some weak passwords to stronger ones. This issue has been assigned the CVE-2020-27020 identifier, which the company reported on in April 2021.

“Kaspersky Lab has fixed a security issue in Kaspersky Password Manager that could potentially allow an attacker to find out the passwords generated by this tool. This problem manifested itself only in the unlikely case when the attacker knew the information about the user account and knew the exact time when the password was generated”, — Kaspersky Lab representatives comment.

Read also our review: Kaspersky Internet Security Review 2021 – Is Russian Antivirus Safe?