![]() ![]() ![]() ![]() Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool." The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. "If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. This is quite clever." The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. "Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. "Their password cracking method relies on the fact that there are probably 'e' and 'a' in a password created by a human than 'x' or 'j', or that the bigrams 'th' and 'he' will appear much more often than 'qx' or 'zr'," he said. One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bedrune said was probably an attempt to trick password cracking tools. However, such method lowers the strength of the generated passwords against dedicated tools," Bedrune wrote. This method aimed to create passwords hard to break for standard password crackers. "Kaspersky Password Manager used a complex method to generate its passwords. In a blog post to cap off an almost two year saga, Ledger Donjon head of security research Jean-Baptiste Bedrune showed KPM was doing just that. An anonymous reader quotes a report from ZDNet: Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time, but for a long time, that's all Kaspersky Password Manager (KPM) used. ![]()
0 Comments
Leave a Reply. |