13

I've been asked by a user whether I would recommend using the Dashlane password manager. I'm aware that other password managers have had some significant security problems, including XSS and CSRF (see below). Is the Dashlane password manager vulnerable to those problems? Has anyone done an independent security analysis of it to see whteher it shares those problems?

For instance, the following published research paper analyzed the security of five popular password managers (LastPass, RoboForm, My1login, Passwordbox, and NeedMyPassword) and found security vulnerabilities in four of the five:

The vulnerabilities ranged from garden-variety XSS and CSRF vulnerabilities, to more obscure attacks based on exploiting bookmarklets and the fact that they might be executed in a context together with malicious Javascript.

However, that paper didn't analyze the Dashlane password manager, perhaps because it has only recently started to get attention and capture significant market share.

Is there any publicly available security analysis of the Dashlane password manager, e.g., to assess whether it is vulnerable to those sorts of vulnerabilities, or any other resources or guidance to help users decide whether they should trust it to be secure?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 5
    Not a security analysis, but there's an article in today's *Wall Street Journal:* http://www.wsj.com/articles/a-quick-fix-for-poor-passwords-1418126603?KEYWORDS=dashlane When I read that passwords pass through Dashlane's servers unencrypted I quit reading. – Bob Brown Dec 09 '14 at 20:03
  • To be fair, that is only for their password changer feature, and it is quite possible that they are not be able to implement that locally on the client. – Graham Hill Dec 10 '14 at 10:12
  • Related: [“What If Dashlane Gets Hacked?” – 5 Reasons Why Your Passwords Are Safe In Dashlane](https://blog.dashlane.com/what-if-dashlane-gets-hacked/). – kenorb Oct 10 '17 at 20:30

3 Answers3

8

A security analysis was performed in May 2016:

That analysis attempts to look for largely the same types of vulnerabilities as the Li et al. paper cited in the question. They looked for XSS attacks, but found none. They were also able to bypass Dashlane's device authentication feature. Overall, they found Dashlane to be quite secure.

They analyzed Dashlane version 4.1.1. Dashlane has since been updated to version 4.6.8.

kenorb
  • 799
  • 4
  • 8
  • 27
Jan
  • 196
  • 1
  • 2
4

Anything that stores your password on an online server outside of your control is to be considered insecure; there is no valid reason for your entire password collection to leave your home network.

The software your online password manager service (doesn't only apply to Dashlane) uses is most likely closed source, you know nothing about their security procedures nor if your passwords are really encrypted or just sitting in a passwords.txt file.

Second, their encryption - let's assume they use industry standard crypto that isn't flawed, and the key is your password hashed with a computationally expensive hash to prevent bruteforce... looks great, right ? But what if a rogue sysadmin, developer or attacker gained access to the server ? While he can't directly decrypt the database, he can modify the code that handles logging in to capture your password and wait for you to log in. Also, you may not be a high-profile target and no attacker would waste his time compromising you, but here the attacker instead aims to compromise the entire password manager service to get the passes for all users, not just you.

Then, there's law enforcement, they can almost always force the company to disclose your passwords; if the databases are encrypted they'll probably use the approach stated above and wait for you to log in. While passwords for most online services aren't of much value since law enforcement can also force them to disclose your data, passwords for services in other countries (where L.A. has no authority) or your servers/encrypted drives are very valuable for them.

Now compare that to a Keepass database stored locally on a possibly encrypted hard drive, where an attacker should either physically steal the machine (and then bruteforce eventual disk encryption and the database's password), alter it (add a keylogger and wait for you to log in and decrypt the pass DB), or remotely compromise it which isn't worth his time if you aren't a high profile target and is often difficult.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • It would generally be difficult for an attacker to do this to an online service undetected. Not impossible, however a large service such as Lastpass will have IDS / IPS and monitoring systems in place to detect such breaches. – SilverlightFox Dec 10 '14 at 19:28
  • 2
    Difficult doesn't mean impossible, the point is that you trust a random company with your entire digital life and that's something a bit too dangerous in my opinion. –  Dec 10 '14 at 19:30
  • 3
    "there is no valid reason for your entire password collection to leave your home network" Synchronizing your entire password collection across devices as Dashlane does is a "valid reason". – Heather Aug 23 '16 at 21:52
  • If you "aren't a high profile target," then *nobody*, law enforcement, rogue sysadmin, or otherwise, is going to modify the service's code just to obtain your master password. Software engineer-hours are far too expensive for that. – Kevin Jul 14 '17 at 03:53
  • "the key is your password" ... Which would make resetting your password impossible. If there is a password reset option, then essentially anyone with access to the relevant system can read your passwords. @Kevin Login credentials of nobodies are stolen all the time in mass hacks for the purpose of further mass scale shenanigans, e.g. emptying PayPal accounts, selling organic Facebook likes, yadda. – Mantriur May 08 '20 at 13:51
-3

There’s only one key to unlocking your encrypted data. By default, you and only you have it. It’s how we make sure that even if hackers breached our servers, there would be nothing that could tie your information to you.

At least thats what they say.

Anders
  • 64,406
  • 24
  • 178
  • 215
Mathius
  • 1
  • 3
    Hello and welcome to Information Security! In the future, please always provide a link or other source when you quote something. I added one for you here. – Anders Mar 03 '17 at 12:06
  • 2
    As it stands, this does not answer the question, which was not about whether Dashlane claims you control the only key, but about potential vulnerabilities to XSS and CSRF, and whether there is public analysis of it. Can you update your answer to better address the question? – Xander Mar 03 '17 at 15:11