Security researchers show that Kaspersky used the current time to generate passwords prior to a 2019 update, which led to easy to crack passwords.
Password generators are not always entirely random since there is potential for weak passwords in entirely random sequences. However, rather than use several layers of logic to develop a strong password, Kaspersky was using only the current time to determine a generated password.
ZDNet shared research performed by Ledger Donjon explaining the issue behind using this kind of logic to generate a password. According to the research, it meant every instance of Kaspersky in the world would generate the same password at a given second.
“If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password,” said Ledger Donjon’s head security researcher. “Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool.”
So, someone trying to hack a user’s account need only know when the account was created and if the Kaspersky Password Manager was used. Every password created could be easily bruteforced.
“For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset,” the researcher continued. “Bruteforcing them takes a few minutes.”
KPM versions before 9.0.2 Patch F on Windows, 18.104.22.1682 on Android, or 22.214.171.124 on iOS were affected.
Kaspersky was informed of the vulnerability in June 2019 and released a fix using new password logic in October of that year. Users who have newer versions are advised to update potentially weak passwords, but any password created before October 2019 could be at risk.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, “Hey, Siri,” to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.
If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple’s Podcasts app, or via Patreon if you prefer any other podcast player.