If you are in the business of generating passwords, you’d probably use an alternative source of entropy, other than the current time. However, for a long time, Kaspersky Password Manager has been doing just that.
In a blog post that caps off a saga that began two years ago, Ledger Donjon head of security research Jean-Baptiste Bédrune, demonstrated this. Bédrune wrote that KPM used a complex method to generate passwords. This method aimed to make passwords that were hard to break for standard password crackers. However, the method lowers the password strength against dedicated tools.
A technique issue
One of the techniques used by KPM made letters that are not often used, appear more frequently, which Bédrune thinks was done to try and trick password cracking tools. The password cracking method relies on the fact that there may be ‘e’ and ‘a’ in a password created by a human, rather than a letter like ‘x’ or ‘j’ or that bigrams like ‘th’ and ‘he’ will appear more than ‘zr’ and ‘qx.’ KPM passwords, he added, will on average be far in the list of candidate passwords tested by these tools.
Because of that technique of password creation, a password cracker will wait a long time until the first one is found, which Bédrune called ‘quite clever.’ However, there is a flip side to this method. If a cracker finds out that KPM was used, they would know what to expect.
As such, they would be able to use that bias in the password generator, to crack the KPM password faster. Bédrune says that an attacker will crack a password faster if they knew it was created by KPM, than if it were fully random. He highlights other problems that show KPM needs to do more to bolster its passwords’ strength.