Nonetheless, the lack of randomness meant that for any given password character set, the possible passwords created over time are limited enough they can be brute-forced in a few minutes. All the passwords it created could be bruteforced in seconds.' Its single source of entropy was the current time. 'The most critical one is that it used a PRNG not suited for cryptographic purposes. 'The password generator included in Kaspersky Password Manager had several problems,' the Donjon research team explained in a blog post on Tuesday. In the sense that I’ve never seen so many broken things in one simple piece of code. I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. Three months later, a team from security consultancy Donjon found that KPM didn't manage either task particularly well – the software used a pseudo-random number generator (PRNG) that was insufficiently random to create strong passwords.įrom that time until the last few months of 2020, KPM was suggesting passwords that could be easily cracked, without flagging the weak passwords for users. In March 2019, security biz Kaspersky Lab shipped an update to KPM, promising that the application could identify weak passwords and generate strong replacements. Last year, Kaspersky Password Manager (KPM) users got an alert telling them to update their weaker passwords.
