Update Kaspersky Password Manager: passwords generated were predictable

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,908
tl;dr: The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.

The product has been updated and its newest versions aren’t affected by this issue.
  • October 13, 2020: Kaspersky Password Manager 9.0.2 Patch M is released, with a notification to users to inform them some password must be re-generated. Kaspersky informs us the same notification will also be present in mobile versions during the first quarter of 2021. CVE-2020-27020 has also been reserved.
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
Remember the IT guy who advised my girlfriend to use KSF instead of Microsoft Defender? He also advised her to use Kaspersky Password Manager free 🤣🤣🤣 I send him the link of this article asking him what to do now.

Fun fact: my girlfriend bought a new laptop (with Ryzen 5 4500U) and I never bothered to put KSF on it, I only installed Office 2019 and Kaspersky Password Manager (added Simple Windows Hardening plus Configure Defender) and she (off course) did not notice.
 
Last edited:

Local Host

Level 24
Verified
Sep 26, 2017
1,319
As stated above. it's better to use password managers from companies that specialize in password management. Like Bitwarden, 1Password, etc. The reputed password managers like the two that I mentioned are also audited by third parties to ensure they are safe and secure to use.
Is a simple concept of a jack off all trades and a master of none, I don't entirely blame Kaspersky but the costumers.

Anti-Virus companies should focus on their main product, rather than all this bloatware nonsense.

This is why I rather use F-Secure Anti-Virus (yes, Anti-Virus not SAFE), is the last product on earth that actually focuses on protection and doesn't include bloatware.
 

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,658
Is a simple concept of a jack off all trades and a master of none, I don't entirely blame Kaspersky but the costumers.

Anti-Virus companies should focus on their main product, rather than all this bloatware nonsense.

This is why I rather use F-Secure Anti-Virus (yes, Anti-Virus not SAFE), is the last product on earth that actually focuses on protection and doesn't include bloatware.
I agree with you. Which one was the first AV to include bloatware like this? Any idea?
Yeah, I like how F-Secure handles this. You can also add ESET to the list. Their NOD32 and Internet Security version doesn't have any bloat either and also Emsisoft.
So you are using F-Secure at the moment? Not Kaspersky anymore?
 

Local Host

Level 24
Verified
Sep 26, 2017
1,319
I agree with you. Which one was the first AV to include bloatware like this? Any idea?
Yeah, I like how F-Secure handles this. You can also add ESET to the list. Their NOD32 and Internet Security version doesn't have any bloat either and also Emsisoft.
So you are using F-Secure at the moment? Not Kaspersky anymore?
I would say AVG was among the first.

I not using AV on my system, and I install Kaspersky on family members to avoid issues.

F-Secure Anti-Virus has problems with false positives, especially in games due to Deepguard, and I don't wanna be wasting time troubleshooting others PCs due to that (which is why they have Kaspersky installed, no issues whasoever and I manage them through the Cloud).
 

jetman

Level 8
Verified
Jun 6, 2017
395

venustus

Level 58
Verified
Trusted
Content Creator
Dec 30, 2012
4,745
Top