Kaspersky Password Manager Review

Password manager from the Kaspersky cybersecurity team. AES-256, a digital wallet, and document storage.

We think Kaspersky Password Manager is a case study in how a single vulnerability and a single export-control decision can outweigh otherwise solid product work. The technical foundation looks reasonable on paper. Reviewers report AES-256 encryption with a zero-knowledge architecture, meaning Kaspersky cannot read your vault server-side.

A SOC 2 Type 2 certification landed in 2023, evidencing baseline operational security controls. Cross-device sync runs through extensions for Chrome, Firefox, Safari, Edge and Brave, biometric login covers mobile and Windows, and haveibeenpwned.com integration surfaces compromised credentials inside the vault.

At roughly $14.99 a year, with a free tier covering up to fifteen entries, the pricing is genuinely modest. Two issues sit above that baseline, and we cannot recommend the product around them. The first is technical.

In 2020 the Donjon team at Ledger found the Kaspersky password generator was seeded by the current time and used a non-cryptographic pseudo-random number generator. Any password produced before the patch could be brute-forced in minutes, and the flaw was assigned CVE-2020-27020. Kaspersky shipped a fix in late 2020, but anything generated before that point needs rotating.

This is the kind of mistake that should not happen in a tool whose entire job is generating strong secrets, and it permanently changes how we read the rest of the security story. The second is jurisdictional. On 20 June 2024 the US Department of Commerce's Bureau of Industry and Security issued a Final Determination prohibiting Kaspersky cybersecurity products for US persons.

All transactions were blocked from 29 September 2024, with the order citing Russian-jurisdiction risk across the company. For US-based readers, this is not a usability concern; it is a regulatory bar on continued use. Even outside the US, the underlying risk model the BIS described applies to anyone whose threat surface includes nation-state actors with leverage over Russian companies.

Other gaps compound those headline issues. Cloudwards and TechRadar both flag the consumer product lacks secure password sharing, emergency access and account recovery options that 1Password and Bitwarden include at similar prices. There is no built-in audit log or activity history for households.

Trustpilot reviewers cite vault-loss incidents after renewal and difficulty cancelling auto-renewing subscriptions, with support limited to generic email. AllAboutCookies notes the privacy policy permits processing without consent where applicable law allows, an open-ended clause that compounds the jurisdiction concern.

Our view: the price is low, the encryption model is sound on paper, and the breach-checking feature is useful. The PRNG flaw and the US prohibition together push us toward managers with cleaner audit histories and friendlier jurisdictions.