Connect with us

Hi, what are you looking for?



Kaspersky Password Manager Generated Passwords That Could Quickly Be Brute-Forced

A vulnerability in the Kaspersky Password Manager resulted in the created passwords being weak enough to allow an attacker to brute-force them in seconds, a security researcher claims.

A vulnerability in the Kaspersky Password Manager resulted in the created passwords being weak enough to allow an attacker to brute-force them in seconds, a security researcher claims.

Developed by Russian security firm Kaspersky, the Kaspersky Password Manager (KPM) allows users not only to securely store passwords and documents, but also to generate passwords when needed.

All of the sensitive data stored in KPM’s vault is protected by a master password. The application is available for Windows, macOS, Android and iOS, and the sensitive data can also be accessed through the web.

The issue with the application, Ledger security researcher Jean-Baptiste Bédrune discovered roughly two years ago, was that its secure password generation mechanism was weak, allowing for created passwords to be brute-forced within seconds.

KPM was designed to generate 12-character passwords by default, but allows users to personalize their passwords by modifying settings in the KPM interface, such as password length, and the use of uppercase and lowercase letters, digits, and special characters.

The problem with KPM, Ledger’s researcher explains, is also what differentiated it from other password managers out there: in an attempt to create passwords that are as far away as possible from those generated by humans, the application became predictable.

The passwords appeared to have been created so as to prevent cracking from commonly used password crackers. The employed algorithm, however, allowed an attacker who knew that the passwords were generated using KPM to create the most probable passwords generated by the utility, Bédrune says.

Advertisement. Scroll to continue reading.

“We can conclude that the generation algorithm in itself is not that bad: it will resist against standard tools. However, if an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password,” the researcher says.

Tracked as CVE-2020-27020, the vulnerability is related to the use of a pseudorandom number generator (PRNG) that was not cryptographically secure. The desktop app used the Mersenne Twister PRNG, while the web version used the Math.random() function, none of which are suitable for generating cryptographically secure material.

What the researcher discovered was that the application would use the system time as the seed to generate every password, meaning that “every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second.”

“The consequences are obviously bad: every password could be bruteforced. For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes,” Bédrune says.

Kaspersky started releasing patches in 2019, but it only published an advisory in April 2021.

“Password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation),” the company said in its advisory. “All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough.”

Users are advised to update to Kaspersky Password Manager for Windows 9.0.2 Patch F, Kaspersky Password Manager for Android, and Kaspersky Password Manager for iOS as soon as possible. The password manager also supports automatic updates.

Related: Why Better Password Hygiene Should Be Part of Your New Year’s Resolutions

Related: Apple Releases Open Source Password Manager Resources

Related: Flaw in Password Managers Allowed Apps to Steal Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.