tl;dr: If you are using Kaspersky's Password Manager, stop. Try Bitwarden. It is free, and it is good. Well, the newest versions of Kaspersky have been updated, but this is a sad state of affairs for someone offering "security products."
This is beyond stupid. The real questions is whether it was criminal. Kaspersky Password Manager: All your passwords are belong to us
And I love the title to that article.
So was this a mistake, or did they want to have access to everyone's passwords? This was some mistake. Though they probably assigned at least part of this to some summer intern.
The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds.
Stupid is worse than criminal in many ways. There are more stupid people than bad actors, and there is no shortage of bad actors.
The whole article is technical, but interesting. If you aren't interested in the technical, all you need to know is at the top.
A day may come when companies take security seriously, but today is not that day.
Should have defined PRNG: Pseudorandom Number Generator
ReplyDelete