They even mention this explicitly in their help pages on the Password Changer: You read that right: when using Dashlane’s Password Changer feature, both your old and your new password transit through Dashlane’s servers, where they will be in plain text at one point or another, since they need to be able to fill them on the website they are changing the password for. Password Changer uses our servers to actually connect to the sites in order to update your passwords there. This is why a site may detect that you are signing in from another location and display a warning. Their FAQ mentions the following (emphasis mine):Ī “suspicious log-in attempt” notification may appear when signing in to a site after using Password Changer, because your passwords are changed through our servers when using the Password Changer feature. Rather than doing everything locally on the user’s machine, which is what another password manager with this feature does, Dashlane does it via their servers. The main problematic feature is their Password Changer it may look awesome, but it represents a serious security issue.
This is something that every Password Manager must guarantee.ĭashlane's design choices make them unable to guarantee that they will never have access to their users' passwords. The main principle Dashlane tramples is the minimisation of their attack surface, as their design choices make them unable to guarantee that they will never have access to their users’ passwords without knowing their Master Passwords. The first feature does not respect basic security by design principles, to which any application or organisation should automatically adhere when handling sensitive data. Specifically, I take serious issue with two of Dashlane’s features, both in the way they are designed and in the way they are presented. However, while doing my research, I stumbled upon some concerning design choices regarding Dashlane, which pushed me to write and publish this post first. Initially, this post should have been a comparative of password managers. Hereunder the original post, for archival purposes.
This post is therefore not relevant anymore, but I’d like to think it played a role in this change happening. December 2021 update: three years (!) after this post was published, Dashlane finally updated their Password Changer to make it work locally.
0 kommentar(er)
