As people and enterprises put their trust in password managers to secure their accounts, even well-built password managers can be fatally flawed.
That's according to a security researcher at Ledger, who claims that older versions of a commercially available password manager by Kaspersky are far from secure.
Ledger's Jean-Baptiste Bédrune recently posted a blog explaining how Kaspersky Password Manager (KPM) has had many problems, the most critical of which is its inability to properly secure generated passwords.
According to Bédrune, KPM is a password manager that stores automatically generated passwords and documents in a vault. These are protected by a master password that the user needs to remember. However, KPM's automatic password generation is flawed and it can actually be bruteforced ‘in seconds'.
The weakness lies in the CVE-2020-27020 vulnerability, which has now been patched. However, it took two years for Kaspersky to do anything about it according to Bédrune.
Bédrune details how KPM uses an inbuilt password generator that relies on policies including password length, uppercase letters, lowercase letters, digits, and a custom set of special characters. While KPM uses a password generation method that could be difficult for standard password crackers to break, it has a major weakness: password crackers that know a password has been created by KPM can easily use what's called a Markov generator to crack passwords.
That could mean that passwords could be bruteforced in minutes or seconds.
My1Login CEO Mike Newman comments, “Supercomputers are able to go through billions of attempts per second to brute force a password. The lack of randomness created by KPM's solution, along with the fact that if the creation time of an account is known, an attack can be made that much quicker, highlights the fact that even random password generators can't be relied upon to keep malicious actors away.
Affected KPM versions include:
- Kaspersky Password Manager for Windows 9.0.2 Patch F
- Kaspersky Password Manager for Android 126.96.36.1992
- Kaspersky Password Manager for iOS 188.8.131.52
Adds Newman, “Organisations can begin solving this problem today, by taking the decision to transition their enterprise from passwords to passwordless. Going passwordless takes the responsibility away from employees, and therefore curtails the threat posed by ineffective passwords. To put it simply, if passwords are never used, then they can't be breached. This approach greatly reduces the number of entry points for criminals and helps keep organisations safe, whilst simultaneously taking the responsibility away from employees.