![]() I recently tried to register for a certain site, and was appalled to discover that some wise-ass programmer managed to disable copy-and-paste and browser-supplied password managers, while still insisting on “complicated” patterns, which must therefore be entered by hand. (lower and upper case, number, special character, a rune, and two symbols from the Cabal). I must occasionally patch-up my PW generating script for the silliness du jour… Of course, not all sites have identical password requirements, and a password generated for one may not work for the other. See the fatal assumption with the last one using MD5? Now look and see how many of the examples use “Date”? It’s only a little over a year and a half old so you would think should be fairly uptodate security wise, and know about “known security faults” going back to the late 1970’s if not further right?… Just hours apart, I find out about similar defects in two different passcode generators. The internet is full of such “pearls of wisdom”, and if you do not know any better, which obviously many don’t… You end up with “Blaim the Intern Syndrome”, where what someone who should know better but obviously does not gives what they think is a simple task to the “summer intern”. The issue was assigned CVE-2020-27020 and Kaspersky published an advisory in April, 2021.Nobody then actually checks and several years later…Ĭall it a failure of the “creative commons” or “Cut-n-Paste coding”… The intern not having a clue looks up the problem on the Internet and “Cuts-n-Pastes” some example from someone who is equally as cluless. And in October 2020, Kaspersky released KPM 9.0.2 Patch M, which included a notification to users that certain weak passwords need to be regenerated. With WPA3, Wi-Fi will be secure this time, really, wireless bods promiseĪ series of fixes – because the initial Windows patch didn't work properly – were rolled out to the web, Windows, Android, and iOS between October and December 2019.Pull your Western Digital My Book Live NAS off the internet now if you value your files.Dear Planet Earth: Patch Webmin now – zero-day exploit emerges for potential hijack hole in server control panel.Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered."For example, there are 315619200 seconds between 20, so KPM could generate at most 315619200 passwords for a given charset. ![]() "The consequences are obviously bad: every password could be bruteforced," the Donjon team wrote. And if the creation time of an account is known – something commonly displayed in online forums, according to Donjon – that range of possibilities becomes much smaller and reduces the time required for bruteforce attacks to a matter of seconds. Nonetheless, the lack of randomness meant that for any given password character set, the possible passwords created over time are limited enough they can be brute-forced in a few minutes. All the passwords it created could be bruteforced in seconds." Its single source of entropy was the current time. "The most critical one is that it used a PRNG not suited for cryptographic purposes. "The password generator included in Kaspersky Password Manager had several problems," the Donjon research team explained in a blog post on Tuesday. In the sense that I’ve never seen so many broken things in one simple piece of code. I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. Three months later, a team from security consultancy Donjon found that KPM didn't manage either task particularly well – the software used a pseudo-random number generator (PRNG) that was insufficiently random to create strong passwords.įrom that time until the last few months of 2020, KPM was suggesting passwords that could be easily cracked, without flagging the weak passwords for users. In March 2019, security biz Kaspersky Lab shipped an update to KPM, promising that the application could identify weak passwords and generate strong replacements. Last year, Kaspersky Password Manager (KPM) users got an alert telling them to update their weaker passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |