Skip to main content

PSA: Kaspersky Password Manager has been creating flawed passwords [U]

If you’ve been using Kaspersky Password Manager (KPM) on your iPhone for a while, you may need to generate some new passwords. A security researcher has discovered two flaws that could result in an attacker having to try as few as 100 passwords to find yours …

Update: Kaspersky has shared an official statement on the flaws:

“Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool. This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings.

The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing.

We recommend that our users install the latest updates. To make the process of receiving updates easier, our home products support automatic updates.”

The flaws were present for passwords generated up to October 2019.

ZDNet reports that there were two problems. The main one was that the app used the time as a seed.

The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator.

“It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Jean-Baptiste Bédrune said.

Because the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered.

“The consequences are obviously bad: every password could be bruteforced,” he said.

“For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.”

Bédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords.

(Ironically, a bug in the code ended up introducing an additional variable that mitigated the problem in some cases.)

A second flaw was less likely to be an issue in practice, as it only helped an attacker who knew you used KPM. To defeat dictionary attacks, KPM generated passwords that use letter groupings not found in words – like qz or zr. The problem is, if an attacker knows you use KPM, they can instead mount a brute-force attack with these combinations, which can actually take less time than a standard dictionary attack.

Kaspersky has acknowledged the problems, and said that new logic is now applied. But if you were using KPM before October 2019, you’ll want to change your passwords.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear