Archive for July 2014

Thoughts on Dashlane Password Sharing [Updated]

Dashlane announced two days ago the availability of version 3 of their product, which is as they describe it "enhanced for teams and families."

I love Dashlane. It is an excellent product when it comes to browser integration and ease of use. Although it has some other restrictions that people might not like (you cannot shut it down, no secure desktop when entering your master password etc.)

When using a password manager, one needs 1) a leap of faith into the product: trust that the product is secure -which is catastrophically not the case even for applications claiming to be number 1 on the marker-, and 2) that the password manager is not actually accessing or going to access its users' passwords and use them or sell them to third parties.

What password managers advance as the reliable foundation that solves both the above points is cryptography! It is very simple (not really): all your passwords are locked with a key, called the master password, on your local machine. Only you know the master password which is supposed to never leave your machine. In case the password manager makes sync/backups to their servers, they only see the encrypted data which is not readable even if somebody got hold of it, not even the password manager itself.

Back to Dashlane. It seems that they are taking the browser integration ease of use and making a "password sharing" as easy as their auto-login feature. You can even set an emergency contact to access your passwords after a given period of time if you don't revoke them.

You can choose to let the person you share your passwords with to have full or read only access to the passwords. A very useless distinction considering if the passwords cannot be changed on your Dashlane app by the other person, they can be changed on the target websites anyways... but that's a debatable use case you might argue!

Now, I can only speculate as to how the sharing of passwords is implemented. That's how +Dashlane describes it on their website:

How does Dashlane enable sharing passwords with others while still not being able to read my data?

When you share a password or other data via Dashlane, only the recipient has the ability to decrypt that data. Dashlane performs the encryption locally on your device, using a 1-way mechanism called public / private key encryption. Once encrypted with the public key of the recipient, the data can only be read with the private key of the recipient which Dashlane does not have. It is like a key that can only be used to lock but cannot be used to unlock."

Good enough indeed. But now, if user A sets user B as their emergency contact, Dashlane stores A's passwords that could be decrypted by B's private key in the case B can get hold of this data, regardless of A revoking or not access to those passwords. Let's hope that Dashlane does not copy A's encrypted data immediately to B's account and holds access control using timestamps for example (I know, very simple and catastrophic to be true, but you never know)

In conclusion, Dashlane cannot claim that your data on their servers is a 100% safe. As far as it is stored somewhere, if a copy of this encrypted (shared) data is accessible, the persons your shared passwords with can still access them, with or without your approval.

Update: one of Dashlane's developers contacted me by email to address the above question, here is his email:
I work at Dashlane and wanted to address your concerns on our new 'emergency contact' feature. I can confirm that we don't send immediately A's encrypted passwords to B. Instead, they are stored on our servers, and can only be accessed once the timer is elapsed, or A authorizes it immediately. Our servers can be hacked (we obviously do our best to prevent it), in which case it could indeed be read by the person you shared it with, so sharing your passwords with people you trust is always a good idea... However, using this feature means you don't also have to trust eg. your email provider (if you are used to share your passwords by email) or any other third party, which is why we think this feature improves the overall security (and convenience) of password sharing.
Hope this answers your questions, don't hesitate if something is unclear or you have other questions.
Glad you love Dashlane!


Swedish Greys - a WordPress theme from Nordic Themepark. Converted by LiteThemes.com.