The password generator included in Kaspersky Password Manager had several problems

Tolkem

Tolkem

Well-Known Member
Joined
Jan 6, 2019
Messages
1,568
Reaction score
1,285
Credits
11,462
Hi everyone! Hope you're all having a nice life! :)

I just read this article https://donjon.ledger.com/kaspersky-password-manager/, and while KPM isn't available for Linux, however, the article is worth a read since it has information some of you might find useful, or at the very least will learn something new, like I just did :)
An excerpt:
Generated numbers must be random. But what does that mean exactly? An ordinary good PRNG will pass a series of tests, mainly statistical randomness tests such as Diehard or Dieharder tests.

A cryptographically secure PRNG (CSPRNG) will also pass those tests, but it also has two other requirements:

  • It must satisfy the next-bit test. Knowing all the bits already generated by a CSPRNG, there is no polynomial-time method that will predict the next bit with a probability higher that 0.5.
  • If, at any moment, the whole state of the CSPRNG is compromised, there is no way to retrieve the bits previously returned by the CSPRNG.
These points are essential for password generation. For example, if a password has been compromised for some reason, and if a non-CSPRNG has been used to generate this password, an attacker could then be able to retrieve the other password generated using this PRNG. Most operating systems provide CSPRNG implementations: CryptGenRandom on Windows, or /dev/random on UNIX-like operating systems.

Some software prefer to use their own implementation, often seeded, fully or partially, by the operating system PRNG. KeePass uses two PRNG, based either on Salsa20 and ChaCha20, and a legacy one based on a variant of ARCFour. Let’s assume the first two PRNG are cryptographically secure: we have now all the elements to generate random, secure passwords from a given charset.
Click to expand...
By the way, the author mentions KeePass as having a secure password generation approach, I use KeePassXC, which I think it's the same, isn't it?
 


You must log in or register to reply here.

Members online

Total: 837 (members: 3, guests: 834)

Latest posts

Top