Users of Kaspersky Password Manager (KPM) on their iPhones will probably want to generate some new passwords. A security researcher has discovered two flaws that could allow an attacker to guess your password in as few a 100 attempts. The flaws were present in passwords generated up until October 2019.
The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator.
“It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Jean-Baptiste Bédrune said.
Because the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered.
“The consequences are obviously bad: every password could be bruteforced,” he said.
“For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.”
Bédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords.
The second flaw required the attacker to know that you had used Kaspersky to generate your password. To defeat dictionary attacks, KPM generated passwords that use letter groupings not found in words – like qz or zr. If an attacker knows you use KPM, they can mount a brute-force attack using these combinations.
Kaspersky has acknowledged the issues, and says that it has applied new logic to the process. But if you were using KPM before October 2019, you’ll want to change your passwords.