Password managers are supposed to ensure the maximum security of accounts with their actually randomly generated passwords. However, security is not as high as possible when the system behind it is easy to understand – as is evidently the case with Kaspersky.
sDyjUgtgoykWPpuvYC4wZQDg, GwtpzmdYUNimuf2zaZLWqKVv, bTBfnYv7qDBnTznACPCaxxLF – all of these are generated by a password manager Passwords. See this at first glance Number-letter combinations more than sure. They can only be noticed with an empire of donkey bridges or an island talent.
The Kaspersky password manager also spits out such passwords. However, it was relatively easy to guess when the process used to create the combinations became public. As it has now become known, Kaspersky recognized the problem as early as 2019 and eliminated it. However, anyone who used the manager before this period is probably still using an insecure password today. In addition to Windows, the versions for Android and iOS are also affected.
The problem was quite simply a number generator that is responsible for generating the passwords. At Kaspersky, the combinations were created using a pseudo-random number generator, or PRNG for short. Based on an initial value, it calculates a series of numbers that appear completely incoherent. In fact, the sequence of numbers is always the same if the initial value is the same. If this initial value is known, potential attackers can simply calculate the password.
If you are wondering how hackers should get to this value: The password manager always took the current time in seconds as the initial value. For example “5832014”. This means that every user who uses the password manager at 4:12:14 pm is shown the same password. This considerably reduces the number of potential passwords.
According to Ledger researcherswho discovered the problem, it is possible within a few minutes to try all the passwords that were created within a year. The researchers informed Kaspersky as early as June 2019. But it wasn’t until April 2021 that the problem appeared in one for the first time Security-Advisory from Kaspersky on; the forced change of old passwords took place in October 2020. What remains is at least a year with insecure passwords.
You might be interested in that too