How Dashlane makes your passwords hack-proof


#1

Originally published at: https://boingboing.net/2018/05/02/how-dashlane-makes-your-passwo.html


#2

The passwords can still be brute-forced; therefore, they are not hack-proof. Indeed, there are many ways of compromising security credentials; neither Dashlane nor any other product can completely inoculate individuals from such attacks.


#3

My problem with password managers is this:

Sure, we can evaluate how secure the passwords are they generate. But how can we evaluate how securely they store those passwords?

You know, aside from cracking open IDA, which I really have no time for most of the time.

ETA: And I’m not that great with IDA, either.


#4

I bloody hate Dashlane.

I installed it briefly, and every single time I type a password, it asks me to save it. There is no way of telling Dashlane “Don’t call me, I will call you when I want a password remembered”. No way of telling it “Don’t save this particular password, and don’t ask about this particular password again”.

The plain old low-security password manager in every modern browser at least lets you tell it that this particular website is one for which you want to manage the password yourself - and that you don’t want to be constantly put at risk of fat-fingering a dialog option every single time you visit the website.

I am not going to have a third party with whom I have no meaningful audit access and over whom I have no contractual force, store my work passwords (I’d deserve to be up for displinary action if I knowingly did so), and I’m not going to use a password manager that insists on repeatedly placing me at risk of doing so in a moment of inattention.


#5

IMHO, a much better solution, if you decide to store your many passwords on the PC for convenience but in a potentially vulnerable state (raises hand: guilty) is the FOSS app KeePass. I believe that it can do autofill but I’ve always used a firebreak with copy/paste; it will autoclear the entry in the clipboard after so many seconds.

Can reside on, and be run from, a USB stick w/o needing an install routine.


#6

I just let Firefox store my passwords, it lets you set a master password that you have to enter each browser session and it encrypts your passwords as well.


#7

LastPass does all this stuff except for free.


#8

Don’t fall into the third party doctrine. Keep important things (like all the keys to your digital life) local.

I prefer:
Keepass


#9

I have been using clipperz.com for a long time. When I saw the screenshot for Dashlane, I thought it looks like Clipperz but Clipperz is Free. The key benefits of clipperz is it is entirely web-based (so can be accessed from anywhere) but the server only has your encrypted data – to see your passwords, the decryption happens on the local machine in the browser. The server doesn’t have your key and can never decrypt your data. Sensitive data is never sent in the clear.

It has other features (from the site):
“offline copy, for when no Internet access is available
import and export, because it’s your data
mobile version, a convenient web version for your smartphone
direct logins, to never type a password again
one-time passwords, for secure access from insecure devices”

And … If you really want to be super secure, Clipperz is open source so you can host the application on your own server.


#10

Come on BoingBoing, please, please stop recommending unauditable, closed-source, for-profit password managers with histories of serious security problems. Especially when solid open-source options PasswordSafe and Keepass exist.

And, if you are going to keep on recommending proprietary password managers, before recommending one, at least take 30 seconds to search the web for whether Tavis Ormandy has felt it appropriate to eviscerate the candidate under consideration.

@Diederik_Werken: Using Firefox’s (or any browser’s) built-in password manager is a terrible idea. Your browser’s very purpose for being is to run untrusted code fetched from arbitrary remote servers. It’s by far the most exposed surface on your PC, and therefore the very last place you want to store secrets. The same goes for password managers with browser integration via plugins/extensions. Terrible idea. A password manager should be fully independent of the browser and use the clipboard and/or emulated keystrokes to input credentials.


#11

My only experience with Dashlane has been as a piece of preinstalled software on PCs I set up for clients. It was so persistently annoying in its attempts to get me to set it up, constantly popping up messages every time I was trying to accomplish some other task, that I felt it was my ethical duty to uninstall it. If a software installer is that whiny and desperate, I feel there must be something badly wrong with the product.


#12

This topic was automatically closed after 5 days. New replies are no longer allowed.