Passwords generated by KPM will be far in the list of candidate passwords tested by standard cracking tools, so attackers will likely be waiting a long time before they encounter a KPM password when attempting to crack a list of passwords. The method has been implemented to trick standard password cracking tools, according to Ledger Donjon researcher Jean-Baptiste Bédrune, which try first break probable passwords, such as those generated by humans. Once any given letter is generated, it heavily skews the probability of other letters appearing in the same password. The generation process is a complex method but effectively means that letters such as q, z and x are more likely to appear in passwords generated by KPM than the average password manager. By default, KPM generates 12-character passwords with an extended chart set. The built-in password generator creates passwords from a given policy, with users able to set policy settings to change password length and include uppercase letters, lowercase letters, digits and a custom set of special characters. The issue has now been patched, but several versions of KPM are affected including version 9.0.2 Patch F and earlier on Windows, version 9.1.14.872 and earlier on Android, and version 9.2.14.31 and earlier on iOS. Kaspersky has assigned this vulnerability the tag CVE-2020-27020, and has published a security advisory regarding this flaw.
0 kommentar(er)
