This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool. In response to queries from The Daily Swig, Kaspersky admitted the problem but played down the severity of the flaw, arguing that successful attacks that relied on these vulnerabilities would be difficult in practice. “All the passwords it created could be bruteforced in seconds,” according to Bédrune. It also meant that any password generated using the technology was left vulnerable to a brute force attack based on a dictionary of possible passwords. Up until it was updated, the Pseudo Random Number Generation bundled with Kaspersky Password Manager used the current time as its single source of entropy.Īs a result, every user who attempted to generate a password at the same time (in seconds) was offered the same suggested password. Dictionary attackĪfter allowing several weeks for users to update their software, security researcher Jean-Baptiste Bédrune of French security outfit Ledger Donjon has gone public with a detailed technical write-up of the security flaws he discovered in the software. That in itself didn’t completely fix the issue because the mobile version of the software was still vulnerable until that too was addressed and an advisory published in April 2021. Users were told to update to Kaspersky Password Manager 9.0.2 Patch M and re-generate passwords. The multiple flaws – tracked as CVE-2020-27020 – were discovered in June 2019 but were only patched in October 2020. The password generator feature in Kaspersky Password Manager was insecure in various ways because the security vendor failed to follow well understood cryptographic best practices, it has emerged. Otherwise, all data in the vault will be permanently lost.‘All the passwords it created could be bruteforced,’ bemoan French researchers If a message about incompatible software appears on the screen when you attempt to upgrade Kaspersky Password Manager, you must manually delete Kaspersky Password Manager 5.0 before installing the new version.īefore removing the previous version of the application, make sure that the password protection authorization method is enabled in the application. You can purchase the premium version of Kaspersky Password Manager or use the free version of the application. If you already have Kaspersky Password Manager 5.0 or an older version installed on your computer, you can upgrade to the new version of Kaspersky Password Manager.Ī license for Kaspersky Password Manager 5.0 or an older version is not valid for newer versions of Kaspersky Password Manager. If you don't agree with new terms and conditions of the application usage, you continue using the previous version of Kaspersky Password Manager, which agreements you have accepted.Īfter the update is installed, Kaspersky Password Manager prompts you to restart the application to apply changes.
If terms and conditions of the End User License Agreement or Privacy Policy has changed, the application prompts you to review and accept new agreements. If nothing requires user actions, Kaspersky Password Manager starts the update automatically. If a new version is available, Kaspersky Password Manager downloads it to your computer in silent mode.Īfter downloading the new version, the application compares all agreements from the previous version with the agreements in the update. Kaspersky Password Manager checks the update server once a week for a new version of the application. A Kaspersky Password Manager update fixes bugs, adds new features, and improves the performance of existing features.
0 kommentar(er)
