If you use Kaspersky's password manager, change your passwords now. But every password that has already been generated by a vulnerable version of the software is still easily crackable - a bit of a nightmare for everyone who's using the service specifically to ensure their passwords can't be cracked. Kaspersky was alerted to the issue, and has rolled out a fix.
Any hacker who knows the trick can brute force any password: The number of seconds in the day is finite, and a hacker can run through all 315,619,200 passwords tied to the seconds of the decade between 20 in just a few minutes.Īnd, if an online account publicly displays the date that it was created on, a hacker will need to run even fewer potential passwords before cracking a Kaspersky password. The reason people didn't notice that every password generated in the same second was the exact same is because the interface has a one-second animation that it plays, ensuring no one can generate two passwords in the same second.īut it's a big flaw. This would be obvious to spot if every click on the ‘Generate' button, in the password generator interface, produced the same password.” It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second. “So the seed used to generate every password is the current system time, in seconds. Here's how Ledger Donjon, head of security research at Jean-Baptiste Bédrune, explained it in a blog post:
Yes, time, one of the most predictable and non-random metrics out there. But the seed that Kaspersky was starting with was the current current system time, in seconds. So what's the problem? Well, any random number generator needs one or more sources of entropy - the element of uncertainty that ensures the result remains random.
0 kommentar(er)
