Thoughts on Dashlane Password Sharing [Updated]

Dashlane announced two days ago the availability of version 3 of their product, which is as they describe it "enhanced for teams and families."

I love Dashlane. It is an excellent product when it comes to browser integration and ease of use. Although it has some other restrictions that people might not like (you cannot shut it down, no secure desktop when entering your master password etc.)

When using a password manager, one needs 1) a leap of faith into the product: trust that the product is secure -which is catastrophically not the case even for applications claiming to be number 1 on the marker-, and 2) that the password manager is not actually accessing or going to access its users' passwords and use them or sell them to third parties.

What password managers advance as the reliable foundation that solves both the above points is cryptography! It is very simple (not really): all your passwords are locked with a key, called the master password, on your local machine. Only you know the master password which is supposed to never leave your machine. In case the password manager makes sync/backups to their servers, they only see the encrypted data which is not readable even if somebody got hold of it, not even the password manager itself.

Back to Dashlane. It seems that they are taking the browser integration ease of use and making a "password sharing" as easy as their auto-login feature. You can even set an emergency contact to access your passwords after a given period of time if you don't revoke them.

You can choose to let the person you share your passwords with to have full or read only access to the passwords. A very useless distinction considering if the passwords cannot be changed on your Dashlane app by the other person, they can be changed on the target websites anyways... but that's a debatable use case you might argue!

Now, I can only speculate as to how the sharing of passwords is implemented. That's how +Dashlane describes it on their website:

How does Dashlane enable sharing passwords with others while still not being able to read my data?

When you share a password or other data via Dashlane, only the recipient has the ability to decrypt that data. Dashlane performs the encryption locally on your device, using a 1-way mechanism called public / private key encryption. Once encrypted with the public key of the recipient, the data can only be read with the private key of the recipient which Dashlane does not have. It is like a key that can only be used to lock but cannot be used to unlock."

Good enough indeed. But now, if user A sets user B as their emergency contact, Dashlane stores A's passwords that could be decrypted by B's private key in the case B can get hold of this data, regardless of A revoking or not access to those passwords. Let's hope that Dashlane does not copy A's encrypted data immediately to B's account and holds access control using timestamps for example (I know, very simple and catastrophic to be true, but you never know)

In conclusion, Dashlane cannot claim that your data on their servers is a 100% safe. As far as it is stored somewhere, if a copy of this encrypted (shared) data is accessible, the persons your shared passwords with can still access them, with or without your approval.

Update: one of Dashlane's developers contacted me by email to address the above question, here is his email:
I work at Dashlane and wanted to address your concerns on our new 'emergency contact' feature. I can confirm that we don't send immediately A's encrypted passwords to B. Instead, they are stored on our servers, and can only be accessed once the timer is elapsed, or A authorizes it immediately. Our servers can be hacked (we obviously do our best to prevent it), in which case it could indeed be read by the person you shared it with, so sharing your passwords with people you trust is always a good idea... However, using this feature means you don't also have to trust eg. your email provider (if you are used to share your passwords by email) or any other third party, which is why we think this feature improves the overall security (and convenience) of password sharing.
Hope this answers your questions, don't hesitate if something is unclear or you have other questions.
Glad you love Dashlane!


Twitter Archive Eraser 50 Million Deleted Tweets Cap and Stats

These are the current stats for Twitter Archive Eraser since 1st January 2014:

  • Number of deleted tweets: 50,361,283
  • Number of tweets loaded: 135,405,333
  • Number of unique users: 4011
  • Number of unique sessions (a user can use the application more than once): 8305
  • Total Azure Table Storage entities: 41800


Check for these number in real time at: http://martani.github.io/Twitter-Archive-Eraser/



Twitter Archive Eraser version 4.0 available

Twitter Archive Eraser version 4.0 was released about a month ago (too lazy to update on the blog here) and comes with an exciting set of new features.


The major features introduced with version 4.0:

  • Zip archive loading: you can now load the whole twitter zip archive in one click without the need to add specific *.js files separately.
  • Automatic errors retry: Twitter Archive Eraser will track any tweets which were not deleted due to network or server side errors and offers to retry deleting them on the fly. You can also save a list of these tweets to delete later.
  • Filtering based on regular expressions: Retweets, mentions etc... You can get all these very easily with Regex based filtering.


Real time statistics and reporting:

One of the exciting features of Twitter Archive Eraser ver 4.0 is statistics. I used Windows Azure Websites and Table storage for this. One of the examples of how valuable are stats is checking the number of tweets deleted using the application in real time. Following is an example of the counter showing these numbers available on the main website of the application):

As for 9th of February 2014, Twitter Archive Eraser deleted ~28 million tweets and loaded ~75 millions, in 6 weeks!!

Licence:

Twitter Archive Eraser version 4.0 comes with an updated licence. In a nutshell:
  • You can always use Twitter Archive Eraser for personal use and distribute it as you wish.
  • You cannot use Twitter Archive Eraser for commercial purposes nor derive works based on it.

If you wish to contribute to Twitter Archive Eraser, you are always welcome to do so on this repository on github at https://github.com/martani/Twitter-Archive-Eraser.

Special thanks for Florent (https://twitter.com/florentsays) for his valuable suggestions.

Download:




Twitter Archive Eraser version 3.0 available

Twitter Archive Eraser 3.0 is now available for download from http://martani.github.io/Twitter-Archive-Eraser/.

This new version includes a bug fix which caused version 2.1 to crash and two new major features: Parallel deletion, and keyword-based filtering of tweets.

The first feature allows faster deletion of tweets depending on the chosen degree parallelism. It can delete up to 16 tweets concurrently. With version 3.0 it is possible to filter tweets containing keywords; this is very useful to keep/delete any mentions or specific tweets about some subject.



Delete Your Oldest Tweets Using Twitter Archive Eraser [Updated version 2.1]

Looking for the awesome Twitter Archive Eraser? It has a new home now, download it from: 

                      http://martani.github.io/Twitter-Archive-Eraser/

                                 


Old post:

Until very recently, there was no obvious way to access your old tweets. In fact Twitter imposes a limit of 3200 tweets (the more recent ones that is) that an application can access. This means also that you cannot delete your old tweets. Several tools exist to help you delete your old tweets but, according to my experiments, most of them do not work properly due to Twitter API's limitations.

Last week however, Twitter enabled the option for users to download their whole archive of tweets, which contains among other things the IDs of all the tweets of a user, the exact piece of information that can be used to wipe out any tweet.

I have developed a simple application called "Twitter Archive Eraser" that helps you delete the oldest tweets from your timeline, or wipe out the whole archive too if you would like so.
The application is the simplest possible, it works in 3 steps: authenticate Twitter, select which tweets you want to delete, wipe them out.

Step 1

In this step, you give access to Twitter Archive Eraser to your twitter account so that it can delete the tweets you select. This works by providing a Pin number that twitter provides after authentication.

Step 2

After you download your twitter archive (from https://twitter.com/settings/account) and extract it (to C:\Twitter_archive for example), you choose which tweets from your archive to delete. The tweets in the Twitter archive are grouped by month, ie. all the tweets of a month are stored in the same file.

These files are found in [your Twitter archive path]\data\js\tweets.
For instance, to delete the tweets from September 2009 you choose the file 2009_09.js.

Step 3

Once you have selected the correct files, you are now presented with all the tweets contained in these files. By default, all the tweets are marked for deletion, if you want to keep any specific tweets, you uncheck them as shown in the following picture. One you hit "erase selected tweets" button, there is no going back (unless you force the app to exit!).


You can find the code of the application on github: https://github.com/martani/Twitter-Archive-Eraser. All the Twitter logic is done using the excellent LinqToTwitter library.

Requirements:
.NET Framework 4.0.

Download from: http://martani.github.io/Twitter-Archive-Eraser/





Swedish Greys - a WordPress theme from Nordic Themepark. Converted by LiteThemes.com.