Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time, but for a long time, that's all Kaspersky Password Manager (KPM) used.
In a blog post to cap off an almost two year saga, Ledger Donjon head of security research Jean-Baptiste Bédrune showed KPM was doing just that.
"Kaspersky Password Manager used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers. However, such method lowers the strength of the generated passwords against dedicated tools," Bédrune wrote.
One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bédrune said was probably an attempt to trick password cracking tools.
"Their password cracking method relies on the fact that there are probably 'e' and 'a' in a password created by a human than 'x' or 'j', or that the bigrams 'th' and 'he' will appear much more often than 'qx' or 'zr'," he said.
"Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. This is quite clever."
The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it.
"If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool."
The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator.
"It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," Bédrune said.
Because the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered.
"The consequences are obviously bad: every password could be bruteforced," he said.
"For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes."
Bédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords.
However, due to some bad coding leading to an out-of-bounds read on an array, Ledger Donjon found an additional smidgen of entropy.
"Although the algorithm is wrong, it actually makes the passwords more difficult to bruteforce in some cases," the post said.
KPM versions prior to 9.0.2 Patch F on Windows, 126.96.36.1992 on Android, or 188.8.131.52 on iOS were affected, with Kaspersky replacing the Mersenne Twister with BCryptGenRandom function on its Windows version, the research team said.
Kaspersky was informed of the vulnerability in June 2019, and released the fix version in October that same year. In October 2020, users were notified that some passwords would need to be generated, with Kaspersky publishing its security advisory on 27 April 2021.
"All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough," the security company said.
In late 2015, Kaspersky said one in seven people were using just one password.
"A strong password that differs for each account is an important basic element of protecting your digital identity," David Emm, principal security researcher at Kaspersky Lab, said at the time in a delicious piece of irony.