SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
CIOs
#
Kaspersky
#
Ledger
Kaspersky Password Manager could be 'bruteforced in seconds'
Mon, 12th Jul 2021
FYI, this story is more than a year old
By Staff Writer
Follow us

As people and enterprises put their trust in password managers to secure their accounts, even well-built password managers can be fatally flawed.

That's according to a security researcher at Ledger, who claims that older versions of a commercially available password manager by Kaspersky are far from secure.

Ledger's Jean-Baptiste Bédrune recently posted a blog explaining how Kaspersky Password Manager (KPM) has had many problems, the most critical of which is its inability to properly secure generated passwords.

According to Bédrune, KPM is a password manager that stores automatically generated passwords and documents in a vault. These are protected by a master password that the user needs to remember. However, KPM's automatic password generation is flawed and it can actually be bruteforced ‘in seconds'.

The weakness lies in the CVE-2020-27020 vulnerability, which has now been patched. However, it took two years for Kaspersky to do anything about it according to Bédrune.

Bédrune details how KPM uses an inbuilt password generator that relies on policies including password length, uppercase letters, lowercase letters, digits, and a custom set of special characters. While KPM uses a password generation method that could be difficult for standard password crackers to break, it has a major weakness: password crackers that know a password has been created by KPM can easily use what's called a Markov generator to crack passwords.

That could mean that passwords could be bruteforced in minutes or seconds.

My1Login CEO Mike Newman comments,  “Supercomputers are able to go through billions of attempts per second to brute force a password. The lack of randomness created by KPM's solution, along with the fact that if the creation time of an account is known, an attack can be made that much quicker, highlights the fact that even random password generators can't be relied upon to keep malicious actors away.

Affected KPM versions include:

  • Kaspersky Password Manager for Windows 9.0.2 Patch F
  • Kaspersky Password Manager for Android 9.2.14.872
  • Kaspersky Password Manager for iOS 9.2.14.31

Adds Newman, “Organisations can begin solving this problem today, by taking the decision to transition their enterprise from passwords to passwordless. Going passwordless takes the responsibility away from employees, and therefore curtails the threat posed by ineffective passwords. To put it simply, if passwords are never used, then they can't be breached. This approach greatly reduces the number of entry points for criminals and helps keep organisations safe, whilst simultaneously taking the responsibility away from employees.

Related stories
Kaspersky illuminates LockBit ransomware group's advanced tactics
Malwarebytes launches free Digital Footprint Portal to protect personal data
Kaspersky's VPN outshines peers in AV-TEST's independent evaluation
Data-stealing malware affects nearly 10m devices in 2023
Kaspersky study highlights lack of progress in cybersecurity upskilling
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption