for a certain period and under certain conditions, Kaspersky Password Manager It was Part of the problem Who was born to solve: She Password security. meager solace He is not the only one. In recent days, some security researchers announced that they succeeded in this Re-create the algorithm that created the program strings, making it possible for a hacker to steal a user’s account.

investigations Arbitrage, the department dealing with infosec in Donjon, dates back to 2 years ago, but just before yesterday, a long post on the official blog (link in SOURCE), all the details were told. The main drawback of Kaspersky’s algorithm is that Seeds, this is the starting data from which the password was generated, was the date of the system, expressed in seconds, for the device on which the service was used; This means that every instance of the program in the world generates the exact same password in a given second. It probably took a while for someone to notice because the waiting movement during the generation lasted more than a second.

The researchers explained that there are 315,619,200 seconds in a year, and thus many passwords generated by Kaspersky Password Manager. already so, A brute force attack may take a few minutes at most To test all combinations on a local database, but given that the account creation date is often specified in a fairly precise way, the field can be limited to a few dozen attempts; It’s a matter of moments, in short – let’s go back to defining its importance, always assuming it’s a local database.

All passwords generated by Kaspersky Password Manager were expected (CVE-2020-27020)! Here’s why.https://t.co/OyNXWlYtNV

– Ledger Dungeon (@DonjonLedger) 6 July 2021

If you try to access a website insteadAnd, which is the most plausible scenario, things get complicated, because most (at least the biggest and most famous) are now implementing measures to combat the brutal impact. Anyway, to make it worse and narrow the field of possibilities, there are some refinement techniques, such as trying to rely on combinations of letters not found in dictionary words, such as “qz” or “gj”. It’s generally very effective, but only so the hacker knows it’s been used.

Kaspersky was Notified of the vulnerability in June 2019and released a fix the following October, switching to a more secure algorithm. A year later, in October 2020, the program alerted affected users to re-create and replace some passwords at risk of identification. To be more clear, it is worth making sure that the version number is greater than:

• 9.0.2 Patch F from Windows
• 9.2.14.872 Your Android device
• Your iOS 9.2.14.31

Finally, The vulnerability has been fixed, it’s been a long time and it’s now reasonably safe to talk about. However, Kaspersky was careful to explain that in order to guess a password, the hacker must know the victim’s account details and the exact date the password was created (which, in fact, does not exactly match the account creation date). In addition, the user had to effectively choose to lower the level of complexity of the generated passwords compared to the default.