How Secure is Dashlane: are your passwords safe?

There is no denying how important a tool the Password managers are. And yet not as many people have embraced them. While it’s true that many people remain largely unaware of the benefits that come with using a password manager there is another group of people who simply don’t trust these software. These people argue that by having all the passwords in one place then it presents a better chance for the hackers to access your private data. Then the other worry is that the password managers vendors may also have access to the saved passwords which would also mean the user data is not at all safe.

Why You Should Trust Your Passwords with Dashlane

Unfortunately, these worries are not baseless. It is possible for rogue vendors to fool users into giving them access to their passwords. Also, if you are using a password manager with weak security measures then hackers can easily gain access to their servers and steal your passwords. This is why it’s important that you don’t just pick any password manager. Don’t be drawn to a password manager just because it is the cheapest. Try and establish the security features included in the software.

There are a number of great Password managers available in the market today but my favorite remains to be Dashlane. Why? Their security policy is ironclad. Which is what I will be discussing today. Where does Dashlane store your passwords and how safe are they from hackers and malicious employees. I have been using Dashlane to manage my passwords for a while now and I have no complains so far. Check out my Full Dashlane review.

Dashlane Security Features

Dashlane

Just like most of the other password Managers, Dashlane stores your password both locally on your device and on their servers. Which is a great thing because you can access your passwords from any device by just logging in to your Dashlane account. But then by having your passwords on the Cloud then that makes them more accessible to hackers. So what makes Dashlane so secure?

Zero-Knowledge Architecture

In my opinion, this is the best security move ever made by Dashlane. They have absolutely no access to the user data. And the way they implement this is by having the user create a master password that is neither stored on the server nor locally on the user PC. To ensure that you set the strongest password Dashlane enforces some rules that you need to follow. The password should be less than 8 characters long and should contain at least one uppercase, one lowercase, and one number. Which is a general rule that you should follow even when setting passwords for your other accounts.

Dashlane then uses this password to encrypt all your other data that is stored in their database. But the original value of your password is still not strong enough for use in encryption and would only guarantee a small level of security. Hackers can still perform a Brute Force Attack by running a script that tries several combinations of your username and password until they get it right. Dashlane understands this and so they use a Key Derivation Function (KDF) that derives a cryptographic key from your master password. The resulting key is known as a Hash Value

The use of KDF to Generate a Hash Value from your Master Password

The concept of Hash key generation may a bit complex so I am going to using a very basic hashing program called SHA-256 to demonstrate how it works. Let’s assume that your master password is Pass@Dash123. When you run this through SHA-256 then the result is a 256-bit hash value that looks like this. “424a0cf66873f76f06459cc0a6e438c9502a4e3e00fa47dafdae6b84272e4932.”

How Password Hashing Works

This is the value that will then be used to encrypt your data. And the reason its perfect is that it is impossible to reverse engineer the hash value to get the original password. Note that SHA-256 is a very simple tool and does not come close to matching the PBKDF2 derivation function used by Dashlane.

The Master Password is not Transmitted over the Internet

In another move to protect your Master Password, Dashlane does not transmit it over the internet. This would make it easy for hackers to intercept it before it is hashed. Instead, Dashlane conducts the password check locally on your computer. Only after it is confirmed will it be used to decrypt your user files.

You should also know that the master password is not recoverable. Dashlane has no knowledge of your password and they do not request that you add any hints that may be used to help you remember your password. You can still create a new password but it cannot decrypt your passwords since they were encrypted with a different key.

Dashlane is hosted on Amazon AWS

Dashlane is hosted on Amazon AWS

The AWS is a comprehensive cloud platform that easily passes as one of the best Cloud Computing Services. Therefore, the fact that Dashlane chose to host their servers on AWS is reassurance in itself. The cloud platform already has layers of security features and is always being monitored 24-7-365. Couple that with the various security features from Dashlane and you get why I am saying this password manager is iron-clad.

Dashlane has a Built-In VPN

This is an extra feature by Dashlane that will be particularly helpful for those that do not have a dedicated VPN software. The Dashlane VPN will add an extra layer of protection when you are browsing on public or untrusted Wi-Fi networks.

The Key Takeaway

So that’s the key breakdown of the Dashlane security feature and my main reason for trusting the password managers with my passwords. Does this mean that Dashlane cannot be hacked? Absolutely not. Hackers are always looking for security loopholes that they can exploit to breach systems. And Dashlane even acknowledges that they too can be victims of a cyber-attack or a rogue employee. So they employ white hat hackers. To try and find the loopholes before the attackers can. Nonetheless, even in the event, their servers are breached, the numerous safety precautions in place will ensure that the hackers cannot access any meaningful information.

What is stored on the Dashlane servers and also on your PC is a bunch of scrambled data that can only make sense through decryption. A process that requires your master password. And so you see why you need to make your password really strong.

Revoking A Device’s Access to your Dashlane Account

With everything that’s been said it now follows that the only way anybody can access your passwords is if they have your username and master password and use the details to log in to your Dashlane account. Or if they have access to your mobile device while you are logged in to your account. So in the event that you lose one of your devices or get the suspicion that it has been compromised, Dashlane allows you to revoke that device’s access to your account through their web portal.

Revoking A Device’s Access to your Dashlane Account

Login to the web portal navigate to My Account and select the Manage Devices option. You will find a list of all devices that have access to your Dashlane account. Once you have revoked their permissions they cannot log in to your account without the authentication code that is sent directly to your mail.

ABOUT THE AUTHOR

Muhammad Zubyan


Muhammad Zubyan is a certified Google IT Support Professional with over 7 years of extensive experience. He has worked on more than 1500 computers, gaining valuable insights that enable him to detect and troubleshoot any complicated root cause of Windows-related issues and errors. In addition to managing Appuals as a Senior Editor, he is currently developing his own Game Optimization program that caters to both gamers and casual users alike.