Vulnerability in the Kaspersky Password Manager
Bruce Schneier reported it on his blog. The short version is that it produces easily-guessable passwords.
Full Disclosure: I didn't know that Kasperky offered a password manager. |
That blog post is confusing - is/was it a password manager, or a password generator? (and am I the only one who thinks if the answer is 'both' that should be a big 'yikes!') Wouldn't it also require knowing the 'current time' at whenever it generated a password to bruteforce it? (I clicked into the article linked and indeed yes it would - they offer a hypothesis that many web forums show join date/time which could be used as a weakness here, IF you knew the account had used a password generated in this way (and I believe using the application defaults as well)). Also from the linked article, this was discovered (AND PATCHED) in 2019, and is only being disclosed/published now that the CVE is published and resolved, and apparently users were pushed notifications in 2020 to prod them to re-generate any passwords that may be vulnerable to this.
The linked article was an interesting read: https://donjon.ledger.com/kaspersky-password-manager/ |
And, "if you're relying on the extremely-limited entropy of 'a password' – any password – you are already in trouble.
Don't put anything that accepts a password "within view of the public," so that they can start trying to guess it. Place it behind something like OpenVPN, protected with individually-accountable digital certificates. A certificate contains thousands of bits of strong entropy. Before anyone is able to try their key in the front door, force them to cross the moat. |
Quote:
Quote:
Quote:
|
Quote:
|
Naturally, "LQ is intended to be publicly accessible." But, like all web sites these days, it does use "https" to guarantee to users that they really are contacting LQ.
"Passwords," directly exposed to the Internet-at-large, are deficient on their face ... if only because your computer will now waste a great deal of time and bandwidth rejecting millions of script-driven attempts to break it. Those resources ought to instead be used to provide useful services to legitimate users. Hence – the "identity badges" that are used in every company. It is individually issued to you and it protects the outermost perimeter. The only parties who will ever even be invited to "say the magic word" are those who have already passed over the moat. The credential can be individually revoked when you leave the company, without impacting anybody else's access. |
All times are GMT -5. The time now is 07:04 AM. |