Kaspersky Password Manager: Android master password timeout too short

[John Warosa]

I’m in the process of evaluating KPM in order to decide if I should buy it or not and I’ve hit a major roadblock: while on the PC you have to type your master password only once at startup, on android the maximum timeout allowed is ten minutes! I get that there’s a security risk in case you lose your device, but not all Android devices are outdoor devices (think about tablets), and not all PCs stay at home only (laptops and such). 

As I was saying, after ten minutes you have to re-type your password all over again, this led me to think of changing my master password into something shorter and simpler, but this would kind of defeat the (security) purpose of a password manager.

So, my idea is this: why don’t you allow the android app a longer timeout, something like 8 or 12 hours?

[Flood and Flood's wife]

Hello @John Warosa,

Welcome!

The issue has been previously raised & extensively discussed with Kaspersky / KPM experts; the bottom line is, the KPM Master password, 10 minute, maximum timeout = is by design, it’s for the exact purpose you say; different technology; imperative the data is secured. 

It will not be changing in the foreseeable future. 

KPM Master password

The main password is a single password that Kaspersky Password Manager uses to protect all your data, including other passwords. You create the main password during the initial setup of Kaspersky Password Manager. Every time you try to access the data vault, Kaspersky Password Manager prompts you for the main password. If your device is running Android 6.0 or later, supports fingerprint authentication, and fingerprint authentication is enabled in the app settings, you can use it to unlock your vault instead of entering the main password.

Kaspersky Password Manager doesn't store the main password on any of your devices or in cloud storage. Kaspersky recommend that you memorize your main password, or write it down and keep it in a secure place, because it can't be restored or recovered if forgotten.

If you forget your main password, you will no longer be able to access your data. In this case, you will have to create a new vault and protect it with a new main password. Then you will be able to add new data to the vault.

Thank you🙏

Flood🐳 +🐋

[John Warosa]

Hello @John Warosa,

Welcome!

The issue has been previously raised & extensively discussed with Kaspersky / KPM experts; the bottom line is, the KPM Master password, 10 minute, maximum timeout = is by design, it’s for the exact purpose you say; different technology; imperative the data is secured. 

It will not be changing in the foreseeable future. 

KPM Master password

The main password is a single password that Kaspersky Password Manager uses to protect all your data, including other passwords. You create the main password during the initial setup of Kaspersky Password Manager. Every time you try to access the data vault, Kaspersky Password Manager prompts you for the main password. If your device is running Android 6.0 or later, supports fingerprint authentication, and fingerprint authentication is enabled in the app settings, you can use it to unlock your vault instead of entering the main password.

Kaspersky Password Manager doesn't store the main password on any of your devices or in cloud storage. Kaspersky recommend that you memorize your main password, or write it down and keep it in a secure place, because it can't be restored or recovered if forgotten.

If you forget your main password, you will no longer be able to access your data. In this case, you will have to create a new vault and protect it with a new main password. Then you will be able to add new data to the vault.

Thank you🙏

Flood🐳 +🐋

 

Too bad, there goes my new password manager. However, may I suggest something like this: upon installation the app could ask if this is a home or portable device and in case the user chooses “home” it could show a disclaimer about the reduced security and allow longer timeout for the master password. Or, even better: the “home” option could be inside the “advanced” settings (and always behind a disclaimer) so that the average user doesn’t activate it by mistake.
 

After all, if data security is imperative then allowing no timeout whatsoever to a PC that a user could carry around in standby mode on a train or other public places is a major oversight.

 

About allowing fingerprint unlocking: sure it’s less stressful than having to re-type the entire password but security-wise is a poor choice: now I have to provide Samsung/Apple and whatever governmet agancies they share the data with my fingerprints, that’s quite dystopian.
 

[Flood and Flood's wife]

Hello @John Warosa, 

You're more than welcome!

Thank you for your feedback. 

1. Which Android OS do you have - open Phone Settings, scroll to About Phone ? & or About? →  scroll to Software information, select Android version ?  
2. Re the "time out phase", what's the max timeout available of your Android, the phone time out, not KPM? 

   

    
3. Re the "advanced settings", which advanced settings? 

• We didn't say we agree with the way Kaspersky manages the concerns, we simply shared with you, the history of the issue & Kaspersky's stated position. 
• The KPM software that’s available in Google Play Store, Huawei app store & Apple store are all from Kaspersky's home user (personal) range. 
• Even tho Support is unavailable to those who don’t have an active Kaspersky subscription; we encourage you to raise a Feedback, I have a suggestion request. Kaspersky does take user feedback seriously, although, sometimes very slowly; if you communicate your thoughts, you'll be giving them the opportunity to review & respond. 
• Regarding your “dystopian” concerns: KASPERSKY LAB – PRODUCTS AND SERVICES PRIVACY POLICY. 

Thank you🙏

Flood🐳 +🐋

[John Warosa]

OK, as soon as I got  bit of free time I’ll do it, currently I’m using the fingerprint on my phone and it’s not so bad, the problem is that tablets, no matter how high end, they usually don’t have a fingerprint reader (my Galaxy Tab S2 was top of the line when it came out and doesn’t have one, and this is the android device I use to log on to sites).