“It is quite common that web sites or forums display the creation time of accounts,” explained the researchers. “For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given. “The consequences are obviously bad: every password could be bruteforced,” explained the researchers. Since the current system time was the random seed value, the password manager would generate identical passwords at any given time for all users worldwide. While several issues were found with the solution, the main problem was the PRNG was not suitable for cryptographic purposes, as the single source of entropy was the current time in seconds. Those policies are set for password length and the characters that must be included (upper/lower case letters, numbers, special characters). Password generation in KPG involves suggesting a password based on the policy created by the user. As a result, any passwords generated could be brute forced in a matter of minutes, and in seconds if the approximate time that the account password was created is known. In a recent blog post, researchers at security firm Donjon said the pseudo-random number generator (PRNG) used by the KPM solution was not sufficiently random to create strong passwords. Password managers often include a password generator to help users create unique, random, complex passwords for their accounts. Security researchers have discovered the random password generator of the Kaspersky Password Manager (KPM) was generating passwords that were susceptible to brute force attacks. Flaw in Kaspersky Password Manager Password Generator Made Passwords Susceptible to Brute Force Attacks
0 kommentar(er)
