Password managers are a vital line of defense in terms of internet security. These programs generate passwords that users may use in their accounts in case they do not want to make one by themselves. However, at some cases, these machine-generated passwords can be cracked easily by online attackers.
One of these such cases is Kaspersky's own password manager, which is subjected to scrutiny after a report revealed that the password generating tool has been generating passwords that was not random and subjected to "brute forcing" by hackers.
Passwords not "Randomly" Generated
In an analysis report made by Ledger Donjon, it was revealed that Kaspersky Password Manager used a very complex method of programming in generating the passwords, making them "hard to break" for standard password crackers.
Kaspersky Password Manager had a disconcerting security problem https://t.co/tLOAWxFZ2S
— Mashable (@mashable) July 7, 2021
However, according to the report, the method itself lowers the strength of the generated password against other online attacks such as the aforementioned brute forcing, or a technique where hackers try to crack a pass by attempting hundreds of thousands of password combinations through specialized tools.
Mashable said that when the said tool is generating a random password, it uses the current time as its "single source of entropy." This means that the Kaspersky Password Manager uses time as a basis for its pseudo random number generator.
Once they know when the password was approximately generated, the hackers will timely attempt to crack it until it infiltrated the account that the password is used for.
However, the Kaspersky Password Manager had one technique that might trick several cracking tools. According to Ledger Donjon, the tool uses letters that are not often used and will make them appear more frequently.
The flip side of this however, according to ZDNet, is that if an attacker could deduce that the said tool was used for a user's password, then the bias in it will start to work against it, saying that it will be able to crack it more easily.
Another mistake that Kaspersky made for their password manager is that they are using the current system time in seconds as the seed into a pseudorandom number generator. This means that the tool would generate the exact same password at a given second.
What is worst is that the program itself has an animation that would take longer than a second while the password is created, hence the reason why the issue was not discovered.
According to TechCentral.ie, Kaspersky fixed the security issue within its password manager, saying that it has incorporated a mechanism that notifies any users of the tool if a specific password generated by it could be vulnerable and needs replacing.
How to Make your Password Stronger
Password managers are one of the options to generate passwords for the safety of your private information online. However, several people are sticking to the traditional self-generated password generation.
Avast has tips on making your password stronger if you do not want to rely on password managers. One of which is never use passwords that are plain obvious, like using the word password as the password or using the consecutive keys in the keyboard like 123456 or qwerty.
Also, consider having a longer yet unique password with a mix of numbers, symbols, and lower-case and upper-case numbers. Also, never use leetspeak in your passwords and avoid common substitutions, like replacing the letter L with the number 7 or the letter O with the number 0.
You can also use the method where you can insert bizarre and uncommon words in your password or "making a sentence" for password, but take the two first letters of every word in the sentence and putting them in a single password.