Password managers are a vital line of defense in the battle for internet security — which makes it all the more painful when they
The
Bédrune, who is a security researcher for the cryptocurrency hard-wallet company
While that sounds super technical, it essentially boils down to KPM using the time as the basis for its pseudo random number generator. Knowing when the password was generated, even approximately, would therefore give a hacker vital information in an attempt to crack a victim’s account.
“All the passwords it created could be bruteforced in seconds,” writes Bédrune.
Bédrune’s team submitted the vulnerability to Kaspersky through HackerOne’s
When reached for comment, Kaspersky confirmed — but downplayed — the problem identified by Bédrune.
“This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated,” wrote a company spokesperson. “It would also require the target to lower their password complexity settings.”
Kaspersky also published
“Password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases,” read the alert. “An attacker would need to know some additional information (for example, time of password generation).”
That alert also noted that, going forward, the password manager had fixed the issue — a claim echoed by the spokesperson.
“The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing.”
SEE ALSO:
So what does this mean for the average KPM user? Well, if they’ve been using the same KPM-generated passwords for over two years (a habit that would
Other than that? Keep using a password manager and enable