Kaspersky Password Manager Has Been Generating Bad Passwords

The random number generator in the Kaspersky Password Manager wasn't nearly random enough. Here's why.
Adam Rowe

You could be forgiven for assuming a randomly generated password was generated at random. That hasn't exactly been the case for Kaspersky Password Manager for a little under two years.

The cybersecurity company's password manager had been using a built-in auto-generator with a particularly glaring flaw. They've patched it, but any Kaspersky Password Manager users should change their previously generated passwords ASAP.

Here's what went wrong.

The Flaw

The password generator works to create passwords by following a set “policy,” with settings that include password length, uppercase letters, lowercase letters, digits, and a custom set of special characters. They can be customized, but the default policy is a 12-character password.

Do you already use a password manager?
Kaspersky password generator

So what's the problem? Well, any random number generator needs one or more sources of entropy — the element of uncertainty that ensures the result remains random. But the seed that Kaspersky was starting with was the current current system time, in seconds. Yes, time, one of the most predictable and non-random metrics out there.

Here's how Ledger Donjon, head of security research at Jean-Baptiste Bédrune, explained it in a blog post:

“So the seed used to generate every password is the current system time, in seconds. It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second. This would be obvious to spot if every click on the ‘Generate' button, in the password generator interface, produced the same password.”

The reason people didn't notice that every password generated in the same second was the exact same is because the interface has a one-second animation that it plays, ensuring no one can generate two passwords in the same second.

But it's a big flaw. Any hacker who knows the trick can brute force any password: The number of seconds in the day is finite, and a hacker can run through all 315,619,200 passwords tied to the seconds of the decade between 2010 and 2021 in just a few minutes.

And, if an online account publicly displays the date that it was created on, a hacker will need to run even fewer potential passwords before cracking a Kaspersky password.

Secure Passwords Are Essential

Kaspersky was alerted to the issue, and has rolled out a fix. But every password that has already been generated by a vulnerable version of the software is still easily crackable — a bit of a nightmare for everyone who's using the service specifically to ensure their passwords can't be cracked.

If you use Kaspersky's password manager, change your passwords now. And if you're in the market for a password manager that will keep your online activity private, we've reviewed all the top options in depth over here — none of which have run into trouble with tying their random number generators to an easily cracked algorithm.

0 out of 0
Test Score
Our scoring is based on independent tests and assessments of features, ease of use and value.
Local Storage Option
Two-Factor Authentication
Failsafe Function
Password Generator Function
A password manager can create secure, complex passwords for you. You won't need to remember them yourself.
Help Instructions
Email Support
Live Chat Support
Phone Support
Cost per year
Overall cost per year for a single user.
Click to Try

1Password

Dashlane

LastPass

NordPass

Sticky Password

4.4
4.3
3.9
3.9
3.9

$36

$60

$36

$29.88

$30

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for the last decade. He's also a Forbes Contributor on the publishing industry (and Digital Book World 2018 award finalist) and has appeared in publications including Popular Mechanics and IDG Connect. When not glued to TechMeme, he loves obsessing over 1970s sci-fi art.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals