(Davey Winder) Dashlane dents my confidence.....

[GTP]

Just as a few of the Real World Computing contributors use iStorage hardware-encrypted devices, so at least two of us have a liking for the Dashlane password management software. Or maybe that should be in the past tense? Let me explain.
I’ve used Dashlane for a while now and rather like the combination of ease of use and security it brings. I used to recommend LastPass, but after one too many vulnerability faux pas, I switched my
recommendation to Dashlane.
But I started to notice some odd behaviour: passwords were being reported as weak, with the software issuing warnings that my security was at risk until I changed them. Ordinarily this would
be a good thing, apart from the fact that the passwords in question were long, random and complex. Here’s an example of a “very unsafe” password
according to Dashlane:

Wag)K|#U^}qaKV5#e&w7NY{d=

Yes, seriously. That’s about as weak as the steroidials pushing weights in the gym next to my office!
I did what any concerned user would do in the circumstances and reported the behaviour as a “premium support” customer. What happened next did nothing to restore my confidence. After 24 hours, a support person contacted me and suggested there may have been a breach on the site since creating the password, and that I should change it to one that was more than eight characters long with mixed numbers and symbols. The example I sent to them, of course, was the one I’ve just revealed here.
A tad narked, I replied and explained that the site hadn’t been breached and the 25 random character password was created by Dashlane’s own password generator. It took another day, and a request for the URL of the site concerned, before escalating the issue to the “technical experts” at Dashlane. A day later someone replied, informing me that the problem occurred when you
create a password on a mobile platform and it is then checked on the
desktop client. Apart from the fact that, on this occasion at least, the entry was created entirely on the desktop platform – but hey-ho. Eventually, the expert admitted: “the cross-platform issue is a part of the big problem – but, sometimes, it just fails to evaluate the strength of a password properly”.
Amazingly, he then stated that it never considers a weak password strong, so that was something. Yep, quite something. A month later, and despite Dashlane already being aware of this bug, it remains unfixed. Fine, it doesn’t impact upon the security of my passwords, but it does damage my
trust. After all, if it can’t fix this bug then who knows what other ones are sitting in the code, waiting to be discovered? Looks like it’s back to KeePass with the software-encrypted password database stored on that hardware-encrypted drive then...
By Davey Winder davey@happygeek.com

 

[HCHTech]

I'm no security expert, but I'm pretty sure I do NOT want to know the inner workings / problems / procedures of ANY of the softwares I use. Some thoughts:

1. Keeping any software, let alone one in the security field, up to date & working has got to be a Herculean task
2. NO company has an unlimited budget for this task - ergo problems have to be prioritized
3. Development priorities are rarely based solely on the relative merit of the idea
4. End-user priorities ≠ support team priorities ≠ development priorities
5. The bigger the company, the less the support teams know about problems faced by development

I just hope it mostly works, and hope the times when I need to contact support are few. My general happiness level is inversely proportional to the amount of times I need to speak to company support.

 

[GTP]

If I use software - especially security software - I would like to be assured that it is actually "secure."
Some time ago Steve Gibson dedicated part of a podcast to the problems with LastPass. So Dashlane are not alone.
Thank the stars for people like Davy Winder, Tavis Ormandy, Steve Gibson and many, many others who care enough to dissect and inspect the inner and outer workings of what we take for granted as being safe to use.
I agree with your points above, but at the same time believe that if a company embarks on a project especially something as important as a "password manager" they should make sure the resources are available to the developers to test it thoroughly.
Not just at the start but continually, in real world situations, every version, every step of the way.
Hoping "it mostly works" will bite you on the ar*e!

 

[fencepost]

Not sure there are really any great options out there.

• LastPass has had issues in the past, though I'm not aware of any actual breaches. Plus side, the paid version isn't real expensive and the free version works on just about everything. Heck, even the "team" version is cheaper than the 1Password single-user account.
  
• 1Password used to be just plain expensive but you could buy & just keep running, but now they're very actively pushing everyone to their cloud offering at $36/year
• Dashlane is relatively unknown
• KeePass is open source, but I'm not sure how it is on syncing across devices (requires keeping the file in Dropbox/Box/OneDrive/GDrive/etc. and running different implementations on each device). Also, a lot of functionality (e.g. browser plugins) are developed by third parties so to some extent you need to trust them as well since those plugins will presumably also have access to your key store.

 

[NviGate Systems]

Acer has this pre-installed. I remove it.

The gripe I have is a security software that is pre loaded without consent or knowledge (think end user) that has bugs and could provide attackers a vector to exploit.

There were toolbars in the past that were the subject or attacks, turns out they were badly written and pre installed, so yeah.

Then again, Windows itself is poorly written and comes pre installed an millions of PC's and most don't know.

 

[GTP]

I cannot believe people store passwords in browsers! Might as well put your wallet on the bonnet of your car while you drive around.
Personally, I've never used nor will I ever use a "password manager."
I have about 45 passwords, all at least 30 random characters, but I get by without storing them anywhere other than on an SD card that I plug in when needed.
Copy/paste, the p/word eject the SD, copy some random crap to the clipboard (to clear it out) and move on.

 

[GTP]

Acer has this pre-installed. I remove it.

The gripe I have is a security software that is pre loaded without consent or knowledge (think end user) that has bugs and could provide attackers a vector to exploit.

There were toolbars in the past that were the subject or attacks, turns out they were badly written and pre installed, so yeah.

Then again, Windows itself is poorly written and comes pre installed an millions of PC's and most don't know.

I've noticed that Intel preload crap on new laptops now. A couple of McAfee "Trust" modules and a couple of Intel services set to Automatic Startup.

 

[Slaters Kustum Machines]

I still use and recommend LastPass. They fix their issues very quickly. What more could you ask for? Hell, most people in the world still use Windows and look at the security holes that are patched monthly in that crap show.

 

[HCHTech]

Hoping "it mostly works" will bite you on the ar*e!

Haha - without question. I guess my stance was borne more out of facing the practical realities of the situation than blind trust.

Within my company, we use a software called "mSecure". I have no idea how it stacks up against the others, as I don't use them. While it can be a password manager, we use it as a way to securely share clients sensitive data among the techs. I have a single desktop version installed at the office and android versions installed on each tech's phone. Can be set to self-destruct after X number of incorrect passwords, etc. So far, it hasn't let us down.

 

[PcTek9]

Try this same password thing-a-ma-bob without the pipe symbol. | You see, the os usually sees that as different informations or something. Take out the pipe symbol and see if that changes the thing a lot. I bet you will be sir prized. hehehe