Passwords are a necessary and growing evil in the age of the internet. It should be encrypted and as long as possible and a new password should be found for each online access. Since most people are unable to memorize hundreds of unconnected strings of characters, security companies have long introduced what are known as password managers. Not only do they manage the mixture of different access codes for their users, but they also help identify which sequences of letters and numbers are hard to crack – at least that’s how it should be. In the case of the Kaspersky cybersecurity provider, this does not seem to work well. As did Ledger security researchers in 2019 pointed
Character codes generated by Kaspersky password manager followed a very simple pattern back then. This allowed attackers to guess the access passwords in a very short time.
It was easy to read password generator
According to an expert report, Kaspersky’s password manager used a so-called pseudorandom number generator to generate character strings, which are not suitable for using cryptographic encryption. Cause: Calculates character strings based on an initial value. If this matches, the same password will always be generated. According to Ledger, Kaspersky’s constructor always used the current time in seconds as the initial value. It seemed arbitrary, but it wasn’t. If two users create a password at the exact same time, it will be identical for both. According to Ledger, attackers who saw through this pattern could try out all password combinations for a decade in a matter of minutes.
Password manager at a glance
Kaspersky notified users only after a year
In addition to the Windows version of the password manager, the iOS and Android versions were affected by the issue. Ledger made Kaspersky aware of the issue in June 2019. In December 2019, the company fixed the bug in all versions. However, only in October 2020, Kaspersky released a patch for the Windows version that warns users that they have to change old passwords for security reasons. For mobile versions, this update didn’t follow until the first quarter of 2021. One Official Safety Notice
The company published in April 2021. In other words, despite the announcement of the issue, Kaspersky users have used unsecured passwords for about a year.