If you use it Kaspersky Password Manager (IMC) on iPhone you may need to create new passwords. A security researcher has discovered two flaws that could allow an attacker to try at least 100 passwords to find yours.
The defects were valid for passwords created until October 2019.
The ZDNet states that there were two problems. The main thing was that the application used time as a seed.
The big mistake KPM made was to use the current system time in seconds as a seed in a pseudo-random number generator Mersenne Twister.
«This means that every use of Kaspersky Password Manager in the world will generate the exact same password in a given second"He said Jean-Baptiste Bédrune.
Because the program has an animation that takes more than a second to create a password, Bédrune said that could be the reason why this password was not detected. issue.
«The consequences are obviously bad: any password can be bruteforced", he said.
«For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate up to 315619200 passwords for a given charset. Bruteforcing takes a few minutes.»
Ironically, an error in the code ended up introducing an additional variable that mitigates the problem in some cases.
A second flaw was less likely to be used in practice, as it could only help an attacker who knows you used KPM. To combat dictionary attacks, KPM has created passwords that use groupings of letters not found in words, such as qz or zr. The problem is, if an attacker knows that you are using KPM, they can instead launch a brute-force attack with these combinations, which can actually take less time than a standard dictionary attack.
Kaspersky has acknowledged the problems and said new logic is now being applied. However, if you were using KPM before October 2019, you will need to change your passwords.