Vulnerability in the Kaspersky Password Manager
 

Bruce Schneier reported it on his blog. The short version is that it produces easily-guessable passwords.

Full Disclosure: I didn't know that Kasperky offered a password manager.

That blog post is confusing - is/was it a password manager, or a password generator? (and am I the only one who thinks if the answer is 'both' that should be a big 'yikes!') Wouldn't it also require knowing the 'current time' at whenever it generated a password to bruteforce it? (I clicked into the article linked and indeed yes it would - they offer a hypothesis that many web forums show join date/time which could be used as a weakness here, IF you knew the account had used a password generated in this way (and I believe using the application defaults as well)). Also from the linked article, this was discovered (AND PATCHED) in 2019, and is only being disclosed/published now that the CVE is published and resolved, and apparently users were pushed notifications in 2020 to prod them to re-generate any passwords that may be vulnerable to this.

The linked article was an interesting read: https://donjon.ledger.com/kaspersky-password-manager/

And, "if you're relying on the extremely-limited entropy of 'a password' – any password – you are already in trouble.

Don't put anything that accepts a password "within view of the public," so that they can start trying to guess it. Place it behind something like OpenVPN, protected with individually-accountable digital certificates. A certificate contains thousands of bits of strong entropy. Before anyone is able to try their key in the front door, force them to cross the moat.

I think it's pretty common for password managers to also provide password generation as a feature. It adds to the convenience.

Since they were using time in seconds, 2^32 possiblities (which could definitely be done in an offline attack) covers a range of ~136 years. Even if the join date/time isn't shown publicly you can probably guess it to within 100 years ;)

Now tell us how you put LQ behind a VPN so that it won't be "within view of the public" :rolleyes:

I was thinking about applications where that doesn't make sense - like say this thing's output was used as a log-in password for a system, or as a WiFi AP password, or what-have-you - it'd be impossible to guess at that. But as they pointed out, because it would be the SAME at any given time, it sounds like you could write a program that could just solve every possible password it could've generated (within a sane band based on date, so you don't need to guess values for say, 1963) and then run through that as a dictionary of sorts. Certainly not a 'good' situation for the passwords generated here, but successfully attacking it does require some foreknowledge - both that the password was generated in this way and perhaps also roughly when. It's also interesting how the Kaspersky program was attempting to foil real-world attacks by avoiding certain kinds of strings, but ended up re-creating the same problem for itself.

Naturally, "LQ is intended to be publicly accessible." But, like all web sites these days, it does use "https" to guarantee to users that they really are contacting LQ.

"Passwords," directly exposed to the Internet-at-large, are deficient on their face ... if only because your computer will now waste a great deal of time and bandwidth rejecting millions of script-driven attempts to break it. Those resources ought to instead be used to provide useful services to legitimate users.

Hence – the "identity badges" that are used in every company. It is individually issued to you and it protects the outermost perimeter. The only parties who will ever even be invited to "say the magic word" are those who have already passed over the moat. The credential can be individually revoked when you leave the company, without impacting anybody else's access.