Dashlane and the Heartbleed Bug

On Monday, April 7th, a vulnerability called Heartbleed was discovered in OpenSSL, a cryptographic library used by websites to handle SSL and HTTPS. The vulnerability is a major concern because OpenSSL is widely used, and it could allow normally encrypted web communications to be intercepted.

First, we want to update you on how this impacts Dashlane:

  • Your Dashlane accounts are not impacted by this flaw
  • Your Master Passwords are safe as they are never transmitted
  • Your personal data when transmitted is always ciphered locally with AES 256, which is not affected by the Heartbleed vulnerability

More specifically, though we use OpenSSL when syncing your personal data with our servers:

  • Your Master Password is never transmitted over any network, neither is any derivative of your Master Password
  • Your personal data is ciphered locally, with your Master Password, before being sent to our servers, using a cryptographic algorithm not affected by Heartbleed (AES 256)

The HeartBleed Bug – What is it?

According to Heartbleed.com (a site built by the bug’s discoverers):

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

How does this affect my Dashlane account?

As we mentioned above, your Dashlane account and Master Passwords are safe. Our servers have been updated with the patch, we have revoked previous certificates and rolled out new ones. There will be no interruption in our services, and the information that you store in Dashlane is not affected by the Heartbleed bug.

Though your Dashlane account remains safe, many of the websites that you use do not have the level of security and encryption that we use. We recommend you generate new passwords on your most important accounts – banking, email, social networks, or any shopping sites where you store your payment info. However, the sites that you use need to employ the patch for this bug before your account is secure again. Otherwise, you’ll need to change your passwords again once that’s done.

What’s next? 

We understand you might be worried as the whole Internet seems to be a bit shaken by this. We see this issue as a test for our security architecture that gave proof to how solid it is.

The most important thing is to make sure you use different passwords everywhere, because if your password is stolen on one site, it will not impact other sites; this was true before Heartbleed and is even more true today.

We’ll be sure to keep you updated about the situation, and we want to thank you for securing your data in Dashlane.


  • MB

    Dashlane customer here. I Highly recommend you try and get ahold of that list of of 500,000 websites that are supposedly vulnerable, feed it into it into our Security Dashboard and list the every single one of those sites as Compromised. Anyone who has an account on any of these sites needs to assume the worst and after the bug has been patched new passwords need to be created at for all of those sites. Thank you.

    • Aaron

      Indeed, I am waiting for this as well…

      • FS

        MB and Aaron, CNET recommends this site
        http://filippo.io/Heartbleed/ to check if services are vulnerable or not (http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/). It is a slow, manual process but with your password list on dashlane you can check which sites are patched and safe to change you password. This way you can at least cross your main services off the list

        • Ashley Thurston

          HI FS, Thanks for sharing that checker. We agree – that’s a slow process. Not only that, it’s in incomplete one. I’ve addressed why in this blog post if you’re interested. (Apologies in advanced for the length, but it was necessary.) https://www.dashlane.com/blog/security/heartbleed-bug-advice/ Thanks!

          • Sarah J. D.

            i did a check for dashlane.com and it flunked. What does this mean?

          • Ashley Thurston

            Hi Sarah, Great question! It’s an error with the checker. Our site was secured earlier this week. Thanks!

      • Michael

        Lastpass has already done this…!

        • Suzanne

          Exactly! Why does Last Pass, which is free, offer this, when a paid service like Dashlane doesn’t?

          • Ashley Thurston

            Hi Suzanne, Thanks for your comment! As a company, we have to take the approach that we can stand behind. I’ve just published a blog that details why and what we’re doing to alert our users. (Apologies in advanced for the length, but it was necessary.) I hope you’ll give it a read: https://www.dashlane.com/blog/security/heartbleed-bug-advice/ Also, just to clarify (…wouldn’t want you or anyone to think that it’s required to buy Dashlane) we offer a free & Premium product, too. Thanks!

        • Ashley Thurston

          Hi Michael, We’re aware that LastPass has a checker, however, we’ve taken our own approach. I’ve detailed it in this blog, which I hope you’ll read: https://www.dashlane.com/blog/security/heartbleed-bug-advice/ Thanks!

      • Ashley Thurston

        Hi Aaron, Thanks for sharing your comment! I’ve just published a blog that addresses our approach to alerting users about Heartbleed. I think you’ll find it interesting & I hope you’ll give it a read: https://www.dashlane.com/blog/security/heartbleed-bug-advice/ Thanks!

        • Aaron

          So basically, there is no point in sending out the alerts because we need to change everything anyway?

          That’s fine, it’s not Dashlane’s fault, but I think you might want to communicate this VERY CLEARLY to avoid pr backlash like what’s in this thread. Your approach may be better than LastPass’s, but people aren’t understanding that, and although your article does explain, it’s kind of buried in there and not spelled out explicitly. Even the bolding, etc,. in the article does not draw attention to that particular information. I skimmed the article and didn’t really get it – I had to go back and read line for line, which most people won’t do.

          IMO, you should do another blog post to really spell out why Dashlane is handling it better.

          • Aaron

            Not trying to play armchair qb here, I just think the bottom line is that things haven’t been explained as clearly as you may have intended. Good luck!

    • Adam Cooper

      I’m waiting for this feature as well. Any plans?

    • http://pcalv.es Paulo Coelho Alves

      This would be great to have.

    • Tux

      This is a desperately needed feature right now. I switched from Lastpass to Dashlane, but right now I wish I was still using Lastpass because of this.

      • Ashley Thurston

        Hi Tux, Thanks for your feedback. We hear you…I’ve just published a blog addressing your request and what we’re doing to alert our users about Heartbleed vulnerabilities. I hope you’ll give it a read: https://www.dashlane.com/blog/security/heartbleed-bug-advice/ Let us know if you have any questions. Thanks!

    • Ashley Thurston

      Hi MB – Thanks for your comment! We completely agree that everyone needs to assume the worst. I’ve just published another blog about the course of action we’re taking. Apologies in advance for the length, but it’s full of valuable info in regards to your request. Here it is: https://www.dashlane.com/blog/security/heartbleed-bug-advice/ I hope you’ll give it a read and share your thoughts. Thanks!

  • http://tonygill.com Tony Gill

    Thanks for providing a succinct, comprehensive, timely, and reassuring update!

    • Ashley Thurston

      Absolutely – thanks for choosing Dashlane :)

  • http://pcalv.es Paulo Coelho Alves

    Thank you for this post, it’s nice to be reassured.

    If I could just offer one piece of criticism: the advice to “generate new passwords”, while very sound, clashes a bit with your application’s UI. There’s no way to sort password by Date Updated — like you can with Secure Notes —, so, unless you’re keeping track of the passwords you’ve already changed, it can quickly become quite a frustrating task. Of course, you’ll rarely ever need to change all of your passwords, but such a feature would play nice with another good practise: changing passwords regularly.

    • Ashley Thurston

      Thanks for your comment, Paulo!

      When you’re in the Security Dashboard, you can check the box “Mark as checked” if you’ve just changed the password for that site. See here: http://ow.ly/vBGZE But we agree that it’d be helpful to see the date that you updated it, and it’s already on our roadmap.

      Hope that helps you keep track of which ones you’ve changed at least for now. Thanks!

      • MB

        I don’t have this option in Dashlane? Is your Mac version not the asme as your Windows version?

    • Ashley Thurston

      Hi Paulo, I almost forgot (Heartbleed brain)…if you go to Tools > See Generated Passwords in the app, you’ll see that date that you last generated that password. See here: http://ow.ly/vEZIh Hope that helps!

  • Louise Owen

    Lastpass has set up a tool for testing whether a site is vulnerable. Can Dashlane do something of the sort?

    • Ms Donald

      I second Louise Owen’s request that Dashlane provides the same kind of service that Lastpass does, regarding Heartbleed!

      • Jonathan Schütz

        I second the seconding!

        • Charles Prewitt

          I third the second

          • http://Webside Lars

            Can I fourth the third?

    • Ashley Thurston

      Hi all, Thanks for your comments. We hear you.. I’ve just published a blog that addresses your request and the course of action we’re taking to alert our users about Heartbleed vulnerabilities. I hope you’ll give it a read: https://www.dashlane.com/blog/security/heartbleed-bug-advice/ Thanks!

  • Bill Rucker

    This post was informative but may have glossed over some issues.

    First, as a list of affected sites becomes available, Dashlane should recommend generating new passwords for those sites based on date of password change.

    Second, what about vulnerabilities from logging directly into the website? If Dashlane used a vulnerable OpenSSL release (which appears to be the case):
    — Doesn’t that expose the encrypted (multiple iterations of unidirectional salted hash I hope?) master password itself (with a short or guessable password exacerbating the vulnerability)?
    — Isn’t the user vulnerable to a man-in-the-middle spoof of Dashlane?

    Remember that if you use a password or password pattern at any vulnerable site, then all other sites with the same pattern are vulnerable.

    • Kevin Roulleau

      Hello Bill,

      Your Dashlane master password is never transmitted in any way over the network, thus it is safe from the heartbleed bug.


      • Kamiel

        What about, like Bill mentioned, logging in directly to the website? https://www.dashlane.com/app/#signin asks for my master password, is that not transmitted to your servers?

        The same goes for (I assume) a cookie, token, or identifier that identifies my browser to the Dashlane website. How can you tell if my device is authenticated without actually sending any (derivative of) a private key to your servers?

  • Bill Rucker

    Might also be useful if Dashlane tested whether the site is updated as it enters the credentials and warn users that a site is still vulnerable. Major sites will be updated quickly but with very roughly 3/4 of the web probably affected lots of sites will lag behind. This would probably be much easier to implement than finding all the sites that _were_ vulnerable.

  • http://Website Adam Tybor

    What about device id’s and authentication? My understanding is the device id is what is used to communicate and authenticate with the dashlane cloud services. Wouldn’t this key potentially be compromised since it was being sent over the insecure ssl tunnel?

  • Evan

    As others have mentioned, I would expect Dashlane to be pushing this information to the Security Dashboard. I should be notified of any accounts I have that could be compromised, as well as when those sites have patched their OpenSSL implementation and it is safe to update the passwords.

    I understand no one expected a security hole this large to ever occur, but hopefully this event will help drive development to allow Dashlane to be a proactive guardian for our security.

  • Kevin

    I strongly recommend that Dashlane add a Heartbleed vulnerability list to its Security Dashboard just like Lastpass has done as quickly as possible. Lastpass is getting an enormous amount of positive press about this and is no doubt picking up thousands of new customers in the process. Dashlane is missing a huge opportunity here. Hope it is on the way soon…

  • Naren jain

    Just wondering whether Dashlane generated or saved passwords are accessible to Dashlane staff/server/network personnel?

  • Jim Burns

    I’ve opened a ticket on a problem and received a response, but no one mentioned the Heartbleed Bug. On about April 8 I signed into my Dashlane account and instead of getting a list of my user IDs and passwords, I got a screen saying I have no user IDs or passwords listed with Dashlane (I had at least 20). I was told that apparently my account had been reset, but is it possible that all of this information fell victim to the Heartbleed Bug and all of my user IDs and passwords have been compromised?

  • Kelly

    I’d like a feature that shows the date of when I last changed my individual passwords- I have a ton to do and it’ll take more than one sitting so its hard to keep track of what has been done. And in the regular non-panic use there are sites that I’d like to change periodically anyway, it’d be nice if Dashlane could keep track of that for me.

    • Marc

      +1, and was actually surprised that feature is not already there.

  • Gerald G

    what about an integrated heartbleed checker for dashlane?

    it could directly check a saved url/service for vulnerability. in addition it could check certificate renewals, as one probably is only safe again after a service also uses reissued certificates.

    moreover a renewal date around mid april 2014 could be a strong indication that a service _was_ affected, even it it is no longer. it might be hard or even impossible to know that for any site/service out there, i.e. if the operator had on one hand taken all appropriate steps to fix the issue, but doesn’t also alert all its users.

    my list contains several hundred logins, and i’d be happy if there was some automated check 😉

  • James Bray

    “Your Master Password is never transmitted over any network, neither is any derivative of your Master Password”

    Does this also apply when logging in on the Dashlane site using my master password?



  • http://skill-hacks.com The Best Resource for Cheats

    Everyone loves what you guys are up too. Such clever work and coverage!
    Keep up the excellent works guys I’ve added you guys to our blogroll.

  • Joanna H.

    I was slow to change my passwords, and didn’t do so until a couple days ago. (Shame on me). Do I need to change them again after a couple weeks? I’m guessing not, but will do so if necessary.

    • Ashley Thurston

      Hi Joanna,

      Thanks for getting in touch! If you changed your passwords a few days ago, then it was after sites were secured from Heartbleed, so you’re good. I’ll add, however, that if you’re reusing passwords anywhere, you should get rid those guys and make them random & strong :) You can see which ones are weak or reused in the Security Dashboard. See here for more info: http://support.dashlane.com/customer/portal/articles/search?q=security+dashboard

      Hope that helps!