![]() “We can conclude that the generation algorithm in itself is not that bad: it will resist against standard tools,” Bédrune said. As they’re biased to some extent, this can be abused to generate the most probable passwords generated by this tool. If, however, an attacker knows the password has been generated by KPM, they can adapt their tool around the model KPM uses to generate the password. ![]() Passwords generated by KPM will be far in the list of candidate passwords tested by standard cracking tools, so attackers will likely be waiting a long time before they encounter a KPM password when attempting to crack a list of passwords. The method has been implemented to trick standard password cracking tools, according to Ledger Donjon researcher Jean-Baptiste Bédrune, which try first break probable passwords, such as those generated by humans. Once any given letter is generated, it heavily skews the probability of other letters appearing in the same password. The generation process is a complex method but effectively means that letters such as q, z and x are more likely to appear in passwords generated by KPM than the average password manager. By default, KPM generates 12-character passwords with an extended chart set. The built-in password generator creates passwords from a given policy, with users able to set policy settings to change password length and include uppercase letters, lowercase letters, digits and a custom set of special characters. The issue has now been patched, but several versions of KPM are affected including version 9.0.2 Patch F and earlier on Windows, version 9.1.14.872 and earlier on Android, and version 9.2.14.31 and earlier on iOS. Kaspersky has assigned this vulnerability the tag CVE-2020-27020, and has published a security advisory regarding this flaw.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |