![]() ![]() There are websites out there where you can put user-generated content on a subdomain. This is convenient, but potentially leads to a few security issues. If it is going to autofill your password on it will do so on or bob.as well. SubdomainsĪs a general rule, password managers do not seem to discriminate whether it is a subdomain or not. Some have it enabled by default, and others who likely do not have it as an option in Settings. Some even have Autosubmit, meaning the password manager will even submit the form so the user never has to see it. ![]() Autofill, a requirement for most issuesĪ lot of password managers have an Autofill feature enabled by default, which is a requirement for most of the problems that follow. With that said, ‘real’ vulnerabilities have been found while writing this, and chances are someone might find some on their own while reading this. ![]() Instead, it is more of a design discussion and some food for thought. This blog post will not cover any technical vulnerability that someone has assigned a CVE. They are not always foolproof, and this blog post will try to discuss some of its flaws, but they are way better than not having one. Kaspersky Lab has fixed a security issue in Kaspersky Password Manager that could potentially allow an attacker to find out the passwords generated by this tool. This problem manifested itself only in the unlikely case when the attacker knew the information about the user account and knew the exact time when the password was generated, “Kaspersky Lab representatives comment.Just to make it very clear from the start: you should use a password manager. In October 2020, Kaspersky Lab released KPM 9.0.2 Patch M, notifying users to update some weak passwords to stronger ones. This issue has been assigned the ID CVE-2020-27020, which the company reported on in an April 2021 post . “The consequences were definitely bad: any password could be cracked. For example, between 20, 315619200 seconds have elapsed, so KPM can generate a maximum of 315619200 passwords for a given character set. It took only a few minutes to sort through them, ”says the Ledger Donjon report.īetween October and December 2019, the developers submitted a number of patches for KPM (since the original patch for Windows did not work correctly), and as a result, the problem was fixed on Windows, Android and iOS. ![]() The time-based passwords were very limited and could be cracked in minutes, the researchers said. So, if the attacker knew the time of creating a specific account (which is not difficult at all to see on any forum), the range of probabilities was greatly reduced, as well as the time required for brute-force, which could take only a few seconds. Using the system time as a random seed meant that KPM generated the same passwords if users in different parts of the world clicked on the create password button at the same time and did not change the default settings. At the same time, the KPM interface displayed an animation of rapidly changing random characters, which hid the actual moment of password generation and made it difficult to identify the problem. The fact is that KPM was created to generate 12-digit passwords by default, although it allowed users to personalize their passwords by changing settings, including password length, uppercase and lowercase letters, numbers, and special characters. Researchers at Ledger Donjon say that by striving to create passwords that are as different as possible from passwords generated by the people themselves, the application has become predictable. “The password generator in Kaspersky Password Manager had several problems. Most critical was that he used a pseudo-random number generator that was unusable for cryptographic purposes. The only source of entropy in it was the current system time, and all the passwords that it created could be found in a matter of seconds, ”the experts say. Last year, the developers of Kaspersky Password Manager (KPM) asked users to update their passwords to stronger ones. Now the specialists of Ledger Donjon (the information security division of the Ledger company, which develops crypto wallets), talked about why this happened, and what problems they discovered in KPM some time ago.Įxperts remind that in March 2019, Kaspersky Lab released an update for KPM, promising that now the application will be able to identify weak passwords and generate more reliable replacements for them. Three months later, the Ledger Donjon team found that KPM was not doing very well with this, as it used a pseudo-random number generator that did not produce enough random results to generate strong passwords. In particular, the characters in the passwords were generated and placed in a not entirely random way. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |