科技创新!
A popular password manager screwed up, but there's an easy fix
Password managers are a vital line of defense in the battle for internet security — which makes it all the more painful when they shit the bed.
The Kaspersky Password Manager (KPM), a free tool used to generate and manage online passwords, has long been a popular alternative to the likes of LastPass or 1Password. Unfortunately, according to security researcher Jean-Baptiste Bédrune, a bad coding decision meant that the passwords it generated weren't truly random and as a result were relatively easy to brute force — a hacking technique using specialized tools to try hundreds of thousands (or millions) of password combinations in an attempt to guess the right one.
Bédrune, who is a security researcher for the cryptocurrency hard-wallet company Ledger, writes that when generating a supposedly random password, KPM used the current time as its "single source of entropy."
While that sounds super technical, it essentially boils down to KPM using the time as the basis for its pseudo random number generator. Knowing when the password was generated, even approximately, would therefore give a hacker vital information in an attempt to crack a victim's account.
"All the passwords it created could be bruteforced in seconds," writes Bédrune.
Bédrune's team submitted the vulnerability to Kaspersky through HackerOne's bug bounty program in June of 2019, and Ledger's blog post says Kaspersky notified potentially affected users in October of 2020.
When reached for comment, Kaspersky confirmed — but downplayed — the problem identified by Bédrune.
"This issue was only possible in the unlikely event that the attacker knew the user's account information and the exact time a password had been generated," wrote a company spokesperson. "It would also require the target to lower their password complexity settings."
Kaspersky also published a security advisory detailing the flaw in April of 2021.
"Password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases," read the alert. "An attacker would need to know some additional information (for example, time of password generation)."
That alert also noted that, going forward, the password manager had fixed the issue — a claim echoed by the spokesperson.
"The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing."
SEE ALSO: Why you need a secret phone number (and how to get one)
So what does this mean for the average KPM user? Well, if they've been using the same KPM-generated passwords for over two years (a habit that would typically be fine), they should create new ones.
Other than that? Keep using a password manager and enable two-factor authentication.
友链
外链
互链
Copyright © 2023 Powered by
A popular password manager screwed up, but there's an easy fix-铁板歌喉网
sitemap
文章
771
浏览
2
获赞
54
热门推荐
Animal shelter finds forever homes for furry 'aliens' with Area 51 memes
While the U.S. Air Force has sternly warned against anyone actually storming the Area 51 base come SPretend you have the worst job with Facebook's content moderation quiz
If you've ever wanted to cosplay as an underpaid, mentally exhausted, trauma-exposed contract workerGoogle takes on AirPods with sleek new Pixel Buds
Google unveiled the new version of its wireless Pixel Buds on Tuesday at an event in New York City.'Double Rainbow Guy,' Paul Vasquez, has died a decade after he achieved viral fame
Paul L. Vasquez brought the world goofy, sincere joy in 2010 when a video of him spotting a double rAstrology tech can provide a safe space for the LGBTQ community, but there are limitations
Mashable is celebrating Pride Monthby exploring the modern LGBTQ world, from the people who make up'The Social Network' writer Aaron Sorkin rips Mark Zuckerberg in open letter
Don't shed a single tear for him, but Mark Zuckerberg continues to be assailed for his very bad deciUnsurprisingly, TV streaming devices are collecting data, too
A new report seems to confirm what you could probably already guess: that, like every other device yCongress should pass ban on police using facial recognition technology
Earlier this year, for the first time (that we know of), a false match by a facial recognition algorSorry gardeners, you can't buy foreign seeds on Amazon anymore
Amazon has a new rule in place governing seed and plant imports for U.S. customers: Nope.The onlineTikTok tests new feature to make it easier to buy stuff you don't need
If spending all your time aimlessly scrolling through TikTok isn't enough, you might soon be spendinJenna Fischer and Rainn Wilson talk friendship and coronavirus anxiety
The first few months of 2020 have been absolute trash, but they've also made people far more appreciSuspicionless searches of electronics at the border ruled unconstitutional
Your entire life is on your phone, and that merits some basic privacy protections.So ruled the UniteWe Asked GPT Some Tech Questions, Can You Tell Which Answers Are Human?
ChatGPT and its wordsmith capabilities are all over the news, and for good reason. The large languagFuturists predict what your sex life may look like after the pandemic
The macro effects of the coronavirus impact are undeniable: Hundreds of thousands of lives lost, masVerizon 5G hits New York City, including parts of Brooklyn and Queens, later this month
The 5G train just keeps on rolling. Verizon announced Thursday that its mobile 5G network would beco