![]() The attacker may learn the time where the victim’s account was created, guess the timestamp in seconds, apply the Kaspersky algorithm and get the password right in four or five attempts if they’re lucky. Even if logon attempts are limited and the database never leaks, the password is still at risk. In other words, if a database of Kaspersky-generated passwords is ever leaked, consider them easily brute-forced, no matter what. So hashing isn’t going to help much here as well. But not if the space of possible passwords is as tiny as in the Kaspersky case. Hashing passwords, if done properly, will buy you some time against an offline brute-forcer. For years, Kasperskys password generator suffered from a major security shortcoming, namely, its password generator. So you can assume that the decryption key is going to ship along with the leak. That’s because if a service keeps passwords encrypted at rest, decryption keys may be available to the system at runtime. Encryption is irrelevant when your threat model involves a leaked user database. (You can tell how rampant the problem is: use unique email addresses per service, wait a year or two, and check how much spam you get on those addresses.) It happens all the time, even though many businesses don’t admit it. Kaspersky Password Manager Caught Generating Easily Brute Forced Passwords By Kavita Iyer - JA security researcher has discovered a vulnerability in the Kaspersky Password Manager (KPM) that resulted in the creation of cryptographically weak passwords, which could be easily bruteforced in seconds. Most significant is the fact that the PRNG used a single source of entropy - the. For internet-facing systems, your threat model should acknowledge that the user database is going to leak. Donjon researchers found that the password generator included in Kaspersky Password Manager had several problems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |