Kaspersky Password Manager Fixes Flaw That Generated Easily Bruteforced Passwords (zdnet.com) 31
An anonymous reader quotes a report from ZDNet: Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time, but for a long time, that's all Kaspersky Password Manager (KPM) used. In a blog post to cap off an almost two year saga, Ledger Donjon head of security research Jean-Baptiste Bedrune showed KPM was doing just that. "Kaspersky Password Manager used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers. However, such method lowers the strength of the generated passwords against dedicated tools," Bedrune wrote.
One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bedrune said was probably an attempt to trick password cracking tools. "Their password cracking method relies on the fact that there are probably 'e' and 'a' in a password created by a human than 'x' or 'j', or that the bigrams 'th' and 'he' will appear much more often than 'qx' or 'zr'," he said. "Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. This is quite clever." The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it.
"If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool." The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. "It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," Bedrune said. Because the program has an animation that takes longer than a second when a password is created, Bedrune said it could be why this issue was not discovered. "The consequences are obviously bad: every password could be bruteforced," he said. Bedrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords. "Kaspersky was informed of the vulnerability in June 2019, and released the fix version in October that same year," adds ZDNet. "In October 2020, users were notified that some passwords would need to be generated, with Kaspersky publishing its security advisory on 27 April 2021."
"All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough," the security company said.
One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bedrune said was probably an attempt to trick password cracking tools. "Their password cracking method relies on the fact that there are probably 'e' and 'a' in a password created by a human than 'x' or 'j', or that the bigrams 'th' and 'he' will appear much more often than 'qx' or 'zr'," he said. "Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. This is quite clever." The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it.
"If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool." The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. "It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," Bedrune said. Because the program has an animation that takes longer than a second when a password is created, Bedrune said it could be why this issue was not discovered. "The consequences are obviously bad: every password could be bruteforced," he said. Bedrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords. "Kaspersky was informed of the vulnerability in June 2019, and released the fix version in October that same year," adds ZDNet. "In October 2020, users were notified that some passwords would need to be generated, with Kaspersky publishing its security advisory on 27 April 2021."
"All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough," the security company said.
What is "easily bruteforced"? (Score:1)
Re: (Score:3, Informative)
In this case, "easily bruteforced" means the PRNG is seeded with only 32 bits of entropy, so there are at most 2^32 passwords with a given character set and length. That's something a desktop computer can grind through pretty quickly. Even worse, the seed is the current time in seconds, so if they have a decent guess about when the password was generated (e.g. knowing the date on which an account was opened) they can narrow down to millions or even thousands of guesses.
Which is much smaller than 32 bits (Score:3)
> âEven worse, the seed is the current time in seconds, so if they have a decent guess about when the password was generated (e.g. knowing the date on which an account was opened) they can narrow down to millions
There are only 86,400 seconds in a day.
Only 28,000 in a workday.
30 million in a year, around 8 million in a work year.
So the 32 bits thing is a distraction.
Re:Which is much smaller than 32 bits (Score:4, Funny)
Re: What is "easily bruteforced"? (Score:3)
Yeah, it's much worse than "the passwords can be brute forced". Assuming the password manager used this method since the first version in December 2010, it has only ever generated ca. 334 million passwords. You can very conveniently store that list, by my count it can't be much more than 10 GB.
It reminds me of the dude who entered a nethack tournament, and across the whole month he started just five characters. They all died from kicking a wand of wishing in room 1. Since nethack seeds its RNG from the cloc
Re: (Score:2)
Read the summary. It clearly states that it can be brute-forced in less than 100 attempts, in certain circumstances (when the attacker has downloaded the database so they have your registration timestamp, and they or their tool guesses that you might have used kaspersky).
Using the source. (Score:2)
Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time
One would think hardware FOBs would have an advantage here in being able to incorporate a better source of entropy.
Re: (Score:2)
I'm not sure how the fobs work, but almost anything you use as a seed number (time, lat/long, PC hardware configuration, etc) might make the password "more random" compared to the general population but also more easily brute forced if the attacker knows those things about the target.
Re: (Score:2)
i like the idea of playing a game with the user, like moving the window away from the mouse icon for a few seconds, letting the user chase it. there's lots of input for you to make entropy from, including deviations from straight line that the user moves to mouse.
Re: (Score:2)
...or it's a unique fingerprint to make brute forcing your password easier if the attacker knows you movement patterns.
Grey's Law (Score:5, Insightful)
"Any sufficiently advanced incompetence is indistinguishable from malice".
In fairness, they have denied having ties to the FSB.
Re:Grey's Law (Score:5, Insightful)
I doubt you can get more incompetent and still give the impression of it actually working.
Re: (Score:3)
Re: (Score:2)
In retrospect every problem is easy to verify and fix once you understand it.
Putin’s dream (Score:2)
My passwords are not great, but good enough. (Score:3)
Of course, I have a password for every service I use. Most of these are not really important to my financial future, so I just use a password generator I wrote myself that is easy to use. I won't get specific, but the passwords are easy to write down and have between 60 and 80 bits of security. I know, that's not great, but I think it is good enough for posting on Slashdot. If someone brute-forced my password and started posting ... I don't know what ... What would be my exposure to harm? Maybe my Slashdot karma would plummet? Even if someone got access to my online banking account, the most damage they could do is to transfer money from one of my accounts to another one. It might cause a call that an automated payment did not go through. Okay, fixing this can use up my time, and I only have so many hours in this universe.
Re: (Score:2)
I accidentally moderated this as flamebait. It was a slip of my cursor. Sorry.
Well, it was the most horribly stupid mistake (Score:3)
If something like that can make it into production with these guys, you should probably run screaming if anybody suggests installing their stuff.
Re: (Score:2)
I only trust my security to madman millionaire tax fraud committing members of the suicide squad. Plus McAfee installs a system service that pops up ever 5 minutes telling me how awesome it is and how much faster and better my experience currently is. It's like a hug from my computer.
Hanlon's razor is dull and rusty (Score:5, Insightful)
I am incapable of understanding how anyone would ever think intentionally biasing the outcome of RNG would be a good idea. Or using math.random() or seeding a PRNG with only time(NULL)... this goes way beyond oversight, fuckups or even gross incompetence. They obviously did this on purpose.
Re:Hanlon's razor is dull and rusty (Score:4, Informative)
Does sound like it was written by the intern and not checked, or deliberate... It's extremely basic stuff, and Windows provides APIs that generate cryptographically secure random numbers (which you can mix with your own sources of randomness if you don't trust them).
Maybe an FSB operative managed to get a job as Kaspersky or something. Really would like to hear a detailed explanation from them as it how this made it into production.
Re: (Score:3)
I am incapable of understanding how anyone would ever think intentionally biasing the outcome of RNG would be a good idea.
Then maybe read TFS. Brute forcing passwords by random generation is difficult, so no one brute forces by random generation. Therefore if you know how they bias their brute force efforts you can bias it the opposite way.
Really the only downside is if someone knows this and actively targets you.
e.g. suppose you know that 100% of brute force efforts only use the characters available on the common English keyboard, then a password of 'ö' is suddenly very secure against such an attack. But it only takes on
Re: Hanlon's razor is dull and rusty (Score:2)
It's not necessary to bias the output. The size of the fully random space is vastly bigger than the one the crackers are aiming for.
By example: you don't need to do extra work to stop your random password generator from outputting "123456789", it will never do that anyway. All you need is for the output to be long enough.
Re: (Score:2)
I am incapable of understanding how anyone would ever think intentionally biasing the outcome of RNG would be a good idea.
Then maybe read TFS. Brute forcing passwords by random generation is difficult, so no one brute forces by random generation. Therefore if you know how they bias their brute force efforts you can bias it the opposite way.
Just because someone is able to contrive an argument does not mean it is sane, valid or worthy of any consideration. Biasing RNG outcomes effectively reduces entropy of the password rendering it easier to guess. This is common knowledge. All of the good intentions in the world does not change the fact this is fundamentally and obviously a stupid thing to do.
Everyone also knows password crackers often use dictionaries and heuristics to crack biased passwords created by humans in less time than would be r
Re: (Score:2)
Biasing RNG outcomes effectively reduces entropy of the password rendering it easier to guess.
Again entropy is only a be all and end all against *random* attacks. Attacks which are systematic in one way or another can be counterbiased.
Everyone also knows password crackers often use dictionaries and heuristics to crack biased passwords created by humans in less time than would be required if humans selected a random password to begin with.
Indeed, which is why "horsebatterysttaple" is a more secure password compared to "ad;n348!" Because if you know someone is likely to dictionary attack you it doesn't take much to throw them off.
And only one person caught this? (Score:2)
Re: (Score:2)
So now that you switched to weak Kspy passwords... (Score:2)
.. your accounts will be attacked and changed before you can get fixed Kaspersky passes installed into the accounts you're now locked out of .