Kaspersky Password Manager: passwords generated were predictable

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
tl;dr: The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.

The product has been updated and its newest versions aren’t affected by this issue.
  • October 13, 2020: Kaspersky Password Manager 9.0.2 Patch M is released, with a notification to users to inform them some password must be re-generated. Kaspersky informs us the same notification will also be present in mobile versions during the first quarter of 2021. CVE-2020-27020 has also been reserved.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Remember the IT guy who advised my girlfriend to use KSF instead of Microsoft Defender? He also advised her to use Kaspersky Password Manager free 🤣🤣🤣 I send him the link of this article asking him what to do now.

Fun fact: my girlfriend bought a new laptop (with Ryzen 5 4500U) and I never bothered to put KSF on it, I only installed Office 2019 and Kaspersky Password Manager (added Simple Windows Hardening plus Configure Defender) and she (off course) did not notice.
 
Last edited:
L

Local Host

As stated above. it's better to use password managers from companies that specialize in password management. Like Bitwarden, 1Password, etc. The reputed password managers like the two that I mentioned are also audited by third parties to ensure they are safe and secure to use.
Is a simple concept of a jack off all trades and a master of none, I don't entirely blame Kaspersky but the costumers.

Anti-Virus companies should focus on their main product, rather than all this bloatware nonsense.

This is why I rather use F-Secure Anti-Virus (yes, Anti-Virus not SAFE), is the last product on earth that actually focuses on protection and doesn't include bloatware.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Is a simple concept of a jack off all trades and a master of none, I don't entirely blame Kaspersky but the costumers.

Anti-Virus companies should focus on their main product, rather than all this bloatware nonsense.

This is why I rather use F-Secure Anti-Virus (yes, Anti-Virus not SAFE), is the last product on earth that actually focuses on protection and doesn't include bloatware.
I agree with you. Which one was the first AV to include bloatware like this? Any idea?
Yeah, I like how F-Secure handles this. You can also add ESET to the list. Their NOD32 and Internet Security version doesn't have any bloat either and also Emsisoft.
So you are using F-Secure at the moment? Not Kaspersky anymore?
 
L

Local Host

I agree with you. Which one was the first AV to include bloatware like this? Any idea?
Yeah, I like how F-Secure handles this. You can also add ESET to the list. Their NOD32 and Internet Security version doesn't have any bloat either and also Emsisoft.
So you are using F-Secure at the moment? Not Kaspersky anymore?
I would say AVG was among the first.

I not using AV on my system, and I install Kaspersky on family members to avoid issues.

F-Secure Anti-Virus has problems with false positives, especially in games due to Deepguard, and I don't wanna be wasting time troubleshooting others PCs due to that (which is why they have Kaspersky installed, no issues whasoever and I manage them through the Cloud).
 

jetman

Level 10
Verified
Well-known
Jun 6, 2017
470

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top