Kaspersky Password Manager: passwords generated were predictable

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,860
tl;dr: The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.

The product has been updated and its newest versions aren’t affected by this issue.
Click to expand...
  • October 13, 2020: Kaspersky Password Manager 9.0.2 Patch M is released, with a notification to users to inform them some password must be re-generated. Kaspersky informs us the same notification will also be present in mobile versions during the first quarter of 2021. CVE-2020-27020 has also been reserved.
Click to expand...

Page Redirection

donjon.ledger.com
 
  • Like
  • Wow
  • Thanks
Reactions: Minimalist, plat, Venustus and 13 others
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Remember the IT guy who advised my girlfriend to use KSF instead of Microsoft Defender? He also advised her to use Kaspersky Password Manager free 🤣🤣🤣 I send him the link of this article asking him what to do now.

Fun fact: my girlfriend bought a new laptop (with Ryzen 5 4500U) and I never bothered to put KSF on it, I only installed Office 2019 and Kaspersky Password Manager (added Simple Windows Hardening plus Configure Defender) and she (off course) did not notice.
 
Last edited:
  • HaHa
  • Like
  • Applause
Reactions: Venustus, RansomwareRemediation, ZeePriest and 5 others
SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,043
WoW shocking! It's always better not to use any password managers that are included in an AV subscription. All AV's total security versions are full of bloat. It's even true for some product's internet security edition.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: Guilhermesene, Minimalist, plat and 6 others
L

Local Host

SeriousHoax said:
As stated above. it's better to use password managers from companies that specialize in password management. Like Bitwarden, 1Password, etc. The reputed password managers like the two that I mentioned are also audited by third parties to ensure they are safe and secure to use.
Click to expand...
Is a simple concept of a jack off all trades and a master of none, I don't entirely blame Kaspersky but the costumers.

Anti-Virus companies should focus on their main product, rather than all this bloatware nonsense.

This is why I rather use F-Secure Anti-Virus (yes, Anti-Virus not SAFE), is the last product on earth that actually focuses on protection and doesn't include bloatware.
 
  • Like
  • Thanks
Reactions: Guilhermesene, Minimalist, ZeePriest and 2 others
SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,043
Local Host said:
Is a simple concept of a jack off all trades and a master of none, I don't entirely blame Kaspersky but the costumers.

Anti-Virus companies should focus on their main product, rather than all this bloatware nonsense.

This is why I rather use F-Secure Anti-Virus (yes, Anti-Virus not SAFE), is the last product on earth that actually focuses on protection and doesn't include bloatware.
Click to expand...
I agree with you. Which one was the first AV to include bloatware like this? Any idea?
Yeah, I like how F-Secure handles this. You can also add ESET to the list. Their NOD32 and Internet Security version doesn't have any bloat either and also Emsisoft.
So you are using F-Secure at the moment? Not Kaspersky anymore?
 
  • Like
  • Applause
Reactions: Guilhermesene, ZeePriest and Venustus
L

Local Host

SeriousHoax said:
I agree with you. Which one was the first AV to include bloatware like this? Any idea?
Yeah, I like how F-Secure handles this. You can also add ESET to the list. Their NOD32 and Internet Security version doesn't have any bloat either and also Emsisoft.
So you are using F-Secure at the moment? Not Kaspersky anymore?
Click to expand...
I would say AVG was among the first.

I not using AV on my system, and I install Kaspersky on family members to avoid issues.

F-Secure Anti-Virus has problems with false positives, especially in games due to Deepguard, and I don't wanna be wasting time troubleshooting others PCs due to that (which is why they have Kaspersky installed, no issues whasoever and I manage them through the Cloud).
 
  • Like
Reactions: ZeePriest, Venustus, ForgottenSeer 85179 and 1 other person
jetman

jetman

Level 10
Verified
Well-known
Jun 6, 2017
477
  • Like
  • Applause
Reactions: ZeePriest, dinosaur07, CyberTech and 1 other person
Venustus

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
  • HaHa
  • Like
  • Thanks
Reactions: Lenny_Fox, ZeePriest, dinosaur07 and 2 others

Similar threads

lokamoka820
    • Like
Guide | How To 7 Common Password Manager Issues and How to Fix Them (Beginners Guide)
Replies
4
Views
811
Passwords and passkeys
lokamoka820
lokamoka820
oldschool
    • Like
    • Applause
Security News Passkey technology is elegant, but it’s most definitely not usable security
Replies
4
Views
1,491
Security News
Wrecker4923
Wrecker4923
Brownie2019
On Sale! Kaspersky Plus Internet Security 2024 | 10 Devices | 1 Year | EUR 14.21
Replies
0
Views
422
Discounts and Deals
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top