The head of security research at Ledger Donjon, Jean-Baptiste Bédrune, said that for a long time, Kaspersky Password Manager used the method of binding to the current time to generate passwords and no other additional sources of entropy. This is a complex method, and such passwords are difficult to guess using standard methods. However, if this fact is taken into account, then their reliability is greatly reduced when using specialized hacking tools.
If an attacker knows that a person is using Kaspersky Password Manager, he can guess the password faster than any other random combination. A big program mistake was using the current system time in seconds as the seed in the Mersenne Twister pseudo-random number generator. This means that every instance of Kaspersky Password Manager in the world generated the same password in the same second. Thanks to the animation of the password creation process, which takes more than a second, this problem could not be detected. For example, over the past 11 years (2010-2021) 315619200 seconds have passed, and Kaspersky Password Manager could generate no more than 315619200 passwords for this encoding. In this case, brute-force decryption would take several minutes. Jean-Baptiste Bedrun noted that sites often show the time of account creation, so users become vulnerable to brute-force attacks.
The second drawback was that the Kaspersky Password Manager generated passwords that used groups of letters that were not found in words. For example, qz or zr. If the attacker knows that the user is using this program, he can carry out a brute-force attack with these combinations, and it will take less time than usual.
According to the research group, all versions of Kaspersky Password Manager up to 9.0.2 Patch F for Windows, up to 126.96.36.1992 for Android and up to 188.8.131.52 for iOS were affected. The company was informed of the vulnerability in June 2019, and in October of that year, it released a patched version of its program. A year later, the company notified its customers about the need to update some passwords, and in April of this year, Kaspersky Lab published security recommendations.
At the moment, all public versions of Kaspersky Password Manager that have experienced this problem now have new logic for generating passwords and warn users in cases when the generated password is not strong enough.