The problem with KPM, Ledger’s researcher explains, is also what differentiated it from other password managers out there: in an attempt to create passwords that are as far away as possible from those generated by humans, the application became predictable.
The passwords appeared to have been created so as to prevent cracking from commonly used password crackers. The employed algorithm, however, allowed an attacker who knew that the passwords were generated using KPM to create the most probable passwords generated by the utility, Bédrune says.
Apparently fixed in 2020 : https://lobste.rs/s/di2bww/password_generator_kaspersky_password
Oh it wasn’t mentioned in the article, all it had was “Kaspersky started releasing patches in 2019, but it only published an advisory in April 2021.”
Yes, it is a bit confusing imho, the article you posted urges users to upgrade which makes it seem this is only patched recently. The other article (from my comment above) is this one : https://donjon.ledger.com/kaspersky-password-manager/ which shows :
All the versions prior to these ones are affected:
- Kaspersky Password Manager for Windows 9.0.2 Patch F
- Kaspersky Password Manager for Android 9.2.14.872
- Kaspersky Password Manager for iOS 9.2.14.31
Timeline
October 13, 2020: Kaspersky Password Manager 9.0.2 Patch M is released, with a notification to users to inform them some password must be re-generated.
The problem with KPM, Ledger’s researcher explains, is also what differentiated it from other password managers out there: in an attempt to create passwords that are as far away as possible from those generated by humans, the application became predictable.
What? That isn’t the problem at all. The problem is that the password was basically an obfuscated version of the generation time with second resolution.
This was also fixed a year ago, seems like a pretty shit article.
