A password is how you prove, you are you. Technology has become better and better. Isn’t it time to improve the way we handle our passwords?
Password manager in a nutshell.
One key point with password managers is that, contrary to humans, these tools are good to generate random, strong passwords. Kaspersky Password Manager is a product that securely stores passwords and documents into an encrypted vault, protected by a password. This vault is protected with a master password, so, as with other password managers, users have to remember a single password to use and manage all their passwords.
What went wrong?
Password managers use a random number generator to create strong passwords, but Kaspersky was reported to be using system time ( the current date and time of a day), as a „seed“. „For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Brute forcing them takes a few minutes.“
Security researcher Jean-Baptiste Bédrune also discovered a second flaw, that the company likely created to defeat dictionary attacks – this attack tries to guess every combination in the book, until it hits on yours, according to the report. Kaspersky would use unusual letter groupings like zr or qz to create passwords. The obvious disadvantage of using this system is that a hacker who knows that his target is using Kaspersky Password Manager, could enter the system much faster, by trying these letter combinations. In 2012, a hacker unveiled a 25-GPU cluster he had programmed, to crack any 8-character Windows password containing uppercase and lowercase letters, numbers, and symbols in less than six hours. It has the ability to try 350 billion guesses, per second. Generally, anything under 12 characters is vulnerable, to being cracked. If nothing else, we learn from brute force attacks, that password length is very important. The longer, the better.
What now?
From that time until the last few months of 2020, KPM was suggesting passwords that could be easily cracked, without flagging the weak passwords for users. Kaspersky has acknowledged the problems, and said that new logic is now applied. But if you were using KPM before October 2019, you’ll want to change your passwords.